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Foreword 



This volume contains the main papers presented at the International Conference 
on Analytic Tableaux and Related Methods (TABLEAUX 2000) held on July 
3-7, 2000 in St Andrews, Scotland. This conference succeeded other meetings on 
the same topic held in Lautenbaclr (1992), Marseille (1993), Abingdon (1994), 
St Goar (1995), Terrasini (1996), Pont-a-Mousson (1997), Oisterwijk (1998) and 
Saratoga Springs (1999). 

Tableaux and related methods, such as Gentzen calculi, are convenient and 
effective for automating deduction not just in classical logic but also in various 
non-standard logics. Examples taken from this meeting alone include temporal, 
description, non- monotonic, tense, modal, epistemic, fuzzy and intuitionistic lo- 
gics. Areas of application include verification of software and computer systems, 
deductive databases, knowledge representation and system diagnosis. The con- 
ference brought together researchers interested in all aspects - theoretical foun- 
dations, implementation techniques, systems development, experimental compa- 
rison and applications - of the automation of reasoning by means of tableaux or 
related methods. 

Each research paper was formally evaluated by three referees, mainly mem- 
bers of the programme committee. From the 42 submissions received, 23 original 
research papers and 2 original system descriptions were chosen by the programme 
committee for presentation at the conference and for inclusion in these procee- 
dings, together with the 3 invited lectures. Also included are a summary of 
the non-classical systems Comparison ( TANCS ), descriptions of the Compari- 
son entries, and the titles and authors of position papers and tutorials , which 
were also presented at the conference. Eight systems designers expressed inte- 
rest for TANCS: two abandoned submission plans because of inefficiency and one 
because of unsoundness. All submitted systems were installed (a most painful 
process) and checked for soundness: submitted data were sampled for coherence. 
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Tableau Algorithms for Description Logics 



Franz Baader and Ulrike Sattler 
Theoretical Computer Science, RWTH Aachen, Germany 



Abstract. Description logics are a family of knowledge representation 
formalisms that are descended from semantic networks and frames via 
the system Kl-ONE. During the last decade, it has been shown that 
the important reasoning problems (like subsumption and satisfiability) 
in a great variety of description logics can be decided using tableau- 
like algorithms. This is not very surprising since description logics have 
turned out to be closely related to propositional modal logics and logics 
of programs (such as propositional dynamic logic), for which tableau 
procedures have been quite successful. 

Nevertheless, due to different underlying intuitions and applications, 
most description logics differ significantly from run-of-the-mill modal 
and program logics. Consequently, the research on tableau algorithms 
in description logics led to new techniques and results, which are, howe- 
ver, also of interest for modal logicians. In this article, we will focus on 
three features that play an important role in description logics (number 
restrictions, terminological axioms, and role constructors), and show how 
they can be taken into account by tableau algorithms. 



1 Introduction 

Description logics (DLs) are a family of knowledge representation languages 
which can be used to represent the terminological knowledge of an application 
domain in a structured and formally well-understood way. The name description 
logics is motivated by the fact that, on the one hand, the important notions of 
the domain are described by concept descriptions, i.e., expressions that are built 
from atomic concepts (unary predicates) and atomic roles (binary predicates) 
using the concept and role constructors provided by the particular DL. On the 
other hand, DLs differ from their predecessors, such as semantic networks and 
frames [44,37], in that they are equipped with a formal, logic - based semantics, 
which can, e.g., be given by a translation into first-order predicate logic. 

Knowledge representation systems based on description logics (DL systems) 
provide their users with various inference capabilities that allow them to deduce 
implicit knowledge from the explicitly represented knowledge. For instance, the 
subsumption algorithm allows one to determine subconcept-superconcept relati- 
onships: C is subsumed by D iff all instances of C are also instances of D , i.e., 
the first description is always interpreted as a subset of the second description. 
In order to ensure a reasonable and predictable behaviour of a DL system, the 
subsumption problem for the DL employed by the system should at least be 

Roy Dyckhoff (Ed.): TABLEAUX 2000, LNAI 1847, pp. 1-18, 2000. 
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decidable, and preferably of low complexity. Consequently, the expressive power 
of the DL in question must be restricted in an appropriate way. If the imposed 
restrictions are too severe, however, then the important notions of the appli- 
cation domain can no longer be expressed. Investigating this trade-off between 
the expressivity of DLs and the complexity of their inference problems has been 
one of the most important issues in DL research. Roughly, this research can be 
classified into the following four phases. 

Phase 1: First system implementations. The original Kl-ONE system [12] as 
well as its early successor systems (such as Back [43], K-Rep [36], and Loom 
[35]) employ so-called structural subsumption algorithms, which first normalise 
the concept descriptions, and then recursively compare the syntactic structure 
of the normalised descriptions (see, e.g., [38] for the description of such an algo- 
rithm). These algorithms are usually very efficient (polynomial), but they have 
the disadvantage that they are complete only for very inexpressive DLs, i.e., for 
more expressive DLs they cannot detect all the existing subsumption relations- 
hips (though this fact was not necessarily known to the designers of the early 
systems) . 

Phase 2: First complexity and undecidability results. Partially in parallel with 
the first phase, the first formal investigations of the subsumption problem in DLs 
were carried out. It turned out that (under the assumption P NP) already 
quite inexpressive DLs cannot have polynomial subsumption algorithms [10,39], 
and that the DL used by the Kl-ONE system even has an undecidable subsump- 
tion problem [49]. In particular, these results showed the incompleteness of the 
(polynomial) structural subsumption algorithms. One reaction to these results 
(e.g., by the designers of Back and Loom) was to call the incompleteness of the 
subsumption algorithm a feature rather than a bug of the DL system. The de- 
signers of the Classic system [42,9] followed another approach: they carefully 
chose a restricted DL that still allowed for an (almost) complete polynomial 
structural subsumption algorithm [8]. 

Phase 3: Tableau algorithms for expressive DLs and thorough complexity ana- 
lysis. For expressive DLs (in particular, DLs allowing for disjunction and/or ne- 
gation), for which the structural approach does not lead to complete subsump- 
tion algorithms, tableau algorithms have turned out to be quite useful: they are 
complete and often of optimal (worst-case) complexity. The first such algorithm 
was proposed by Schmidt-SchauB and Smolka [50] for a DL that they called ACC 
(for “attributive concept description language with complements”). 1 It quickly 
turned out that this approach for deciding subsumption could be extended to 
various other DLs [28,26,4,1,23] and also to other inference problems such as the 
instance problem [24]. Early on, DL researchers started to call the algorithms 
obtained this way “tableau-based algorithms” since they observed that the ori- 
ginal algorithm by Schmidt-SchauB and Smolka for ACC , as well as subsequent 
algorithms for more expressive DL, could be seen as specialisations of the tab- 

1 Actually, at that time the authors were not aware of the close connection between 
their rule-based algorithm working on constraint systems and tableau procedures for 
modal and first-order predicate logics. 
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leau calculus for first-order predicate logic (the main problem to solve was to find 
a specialisation that always terminates, and thus yields a decision procedure). 
After Schild [47] showed that ACC is just a syntactic variant of multi-modal K, 
it turned out that the algorithm by Schmidt-SchauB and Smolka was actually a 
re-invention of the known tableau algorithm for K. 

At the same time, the (worst-case) complexity of a various DLs (in particular 
also DLs that are not propositionally closed) was investigated in detail [20,21,19]. 

The first DL systems employing tableau algorithms (Kris [5] and Crack 
[13]) demonstrated that (in spite of their high worst-case complexity) these al- 
gorithms lead to acceptable behaviour in practice [6]. Highly optimised systems 
such as FaCT [30] have an even better behaviour, also for benchmark problems 
in modal logics [29,31]. 

Phase ^ ■' Algorithms and efficient systems for very expressive DLs. Motivated 
by applications (e.g., in the database area), DL researchers started to investi- 
gate DLs whose expressive power goes far beyond the one of ACC (e.g., DLs 
that do not have the finite model property). First decidability and complexity 
results for such DLs could be obtained from the connection between propositio- 
nal dynamic logic (PDL) and DLs [47]. The idea of this approach, which was 
perfected by DeGiacomo and Lenzerini, is to translate the DL in question into 
PDL. If the translation is polynomial and preserves satisfiability, then the known 
EXPTIME-algorithms for PDL can be employed to decide subsumption in expo- 
nential time. Though this approach has produced very strong complexity results 
[16,17,18] it turned out to be less satisfactory from a practical point of view. 
In fact, first tests in a database application [33] showed that the PDL formulae 
obtained by the translation technique could not be handled by existing efficient 
implementations of satisfiability algorithms for PDL [41] . To overcome this pro- 
blem, DL researchers have started to design “practical” tableau algorithms for 
very expressive DLs [32,33]. 

The purpose of this article is to give an impression of the work on tableau 
algorithms done in the DL community, with an emphasis on features that, though 
they may also occur in modal logics, are of special interest to description logics. 
After introducing some basic notions of description logics in Section 2, we will 
describe a tableau algorithm for ACC in Section 3. Although, from the modal 
logic point of view, this is just the well-known algorithm for multi-modal K, this 
section will introduce the notations and techniques used in description logics, 
and thus set the stage for extensions to more interesting DLs. In the subsequent 
three section we will show how the basic algorithm can be extended to one 
that treats number restrictions, terminological axioms, and role constructors of 
different expressiveness, respectively. 



2 Description Logics: Basic Definitions 

The main expressive means of description logics are so-called concept descripti- 
ons, which describe sets of individuals or objects. Formally, concept descriptions 
are inductively defined with the help of a set of concept constructors, starting 
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Table 1. Syntax and semantics of concept descriptions. 



Construct name 


Syntax 


Semantics 


negation 


-i c 


A X \C X 


conjunction 


cnD 


C x nD x 


disjunction 


CUD 


C X UD X 


existential restriction 


3 r.C 


{x £ A x | 3y : {x, y) £ r x A y £ C x } 


value restriction 


Vr.C 


{x £ A x | My : (x, y) £ r x ^ y £ C x } 


at-least restriction 


(^nr.C) 


{x £ A x | #{y £ A x | (x, y) £ r x A y £ C x } > n} 


at-most restriction 


(C;nr.C) 


{* € A x | #{y £ A x | (*, y) £ r x A y £ C x } < n} 



with a set Nq of concept names and a set Nr of role names. The available con- 
structors determine the expressive power of the DL in question. In this paper, 
we consider concept descriptions built from the constructors shown in Table 1, 
where C, D stand for concept descriptions, r for a role name, and n for a non- 
negative integer. In the description logic ACC, concept descriptions are formed 
using the constructors negation, conjunction, disjunction, value restriction, and 
existential restriction. The description logic ACCQ additionally provides us with 
(qualified) at-least and at-most number restrictions. 

The semantics of concept descriptions is defined in terms of an interpretation 
X = (A 1 ,- 1 ). The domain A 1 of X is a non-empty set of individuals and the 
interpretation function - x maps each concept name P £ Nq to a set P x C A x 
and each role name r £ Nr to a binary relation r x C A x xA x . The extension of 
■ x to arbitrary concept descriptions is inductively defined, as shown in the third 
column of Table 1. 

From the modal logic point of view, roles are simply names for accessibility 
relations, and existential (value) restrictions correspond to diamonds (boxes) in- 
dexed by the respective accessibility relation. Thus, any ACC description can be 
translated into a multi-modal formula and vice versa. For example, the descrip- 
tion P n 3r.P n Vr.-iP corresponds to the formula p A (r)p A [r]->p, where p is 
an atomic proposition corresponding to the concept name P. As pointed out by 
Schild [47], there is an obvious correspondence between the semantics of ACC 
and the Kripke semantics for multi-modal K, which satisfies d £ C x iff the world 
d satisfies the formula <pc corresponding to C in the Kripke structure correspon- 
ding to X. Number restrictions also have a corresponding construct in modal 
logics, so-called graded modalities [53], but these are not as well-investigated as 
the modal logic K. 

One of the most important inference services provided by DL systems is 
computing the subsumption hierarchy of a given finite set of concept descriptions. 

Definition 1. The concept description D subsumes the concept description C 
(CAZD) iff C x C D x for all interpretations I; C is satisfiable iff there exists 
an interpretation X such that C x ^ 0; and C and D are equivalent iff C C D 
and DCC. 
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In the presence of negation, subsumption can obviously be reduced to satisfia- 
bility: C C D iff C n -i D is unsatisfiable. 2 

Given concept descriptions that define the important notions of an applica- 
tion domain, one can then describe a concrete situation with the help of the 
assertional formalism of description logics. 

Definition 2. Let Ni be a set of individual names. An ABox is a finite set of 
assertions of the form C (a) ( concept assertion ) or r(a, b) ( role assertion ), where 
C is a concept description, r a role name, and a, b are individual names. 

An interpretation I, which additionally assigns elements a 1 £ A x to indivi- 
dual names a, is a model of an ABox A iff a 1 £ C x ((a 1 , b x ) £ r 1 ) holds for 
all assertions C(a) (r(a,b)) in A. 

The Abox A is consistent iff it has a model. The individual a is an instance 
of the description C w.r.t. A iff a 1 £ C x holds for all models T of A. 

Satisfiability (and thus also subsumption) of concept descriptions as well as the 
instance problem can be reduced to the consistency problem for ABoxes: (i) C 
is satisfiable iff the ABox {(7(a) } for some a £ Nj is consistent; and (ii) a is an 
instance of C w.r.t. A iff A U {->(7(a)} is inconsistent. 

Usually, one imposes the unique name assumption on ABoxes, i.e., requires 
the mapping from individual names to elements of A x to be injective. Here, we 
dispense with this requirement since it has no effect for ACC, and for DLs with 
number restrictions we will explicitly introduce inequality assertions, which can 
be used to express the unique name assumption. 



3 A Tableau Algorithm for A.CC 

Given an ACC - concept description Co, the tableau algorithm for satisfiability 
tries to construct a finite interpretation T that satisfies Co, i.e., contains an ele- 
ment Xo such that Xo £ C x . Before we can describe the algorithm more formally, 
we need to introduce an appropriate data structure in which to represent (partial 
descriptions of) finite interpretations. The original paper by Schmidt-Schaufi and 
Smolka [50], and also many other papers on tableau algorithms for DLs, intro- 
duce the new notion of a constraint system for this purpose. However, if we look 
at the information that must be expressed (namely, the elements of the inter- 
pretation, the concept descriptions they belong to, and their role relationships), 
we see that ABox assertions are sufficient for this purpose. 

It will be convenient to assume that all concept descriptions are in negation 
normal form (NNF), i.e., that negation occurs only directly in front of con- 
cept names. Using cle Morgan’s rules and the usual rules for quantifiers, any 
ACC - concept description can be transformed (in linear time) into an equivalent 
description in NNF. 

Let Cq be an AUC-concept in NNF. In order to test satisfiability of Co, 
the algorithm starts with Ao := {Co(a:o)}> and applies consistency preserving 

2 This was the reason why Schmidt-Schaufi and Smolka [50] added negation to their 
DL in the first place. 
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The — » n -rule 

Condition: A contains {CiC\C2){x), but it does not contain both Ci(x) and C2(x). 
Action: A' := A U {Ci(x), C2(x)}. 

The — » u -rule 

Condition: A contains (C 1 U C2)(x), but neither Ci(x) nor C2(x). 

Action: A! := A U {Ci(a:)}, A" := A U {C2(x)}. 

The — »3-rule 

Condition: A contains ( 3 r.C)(x), but there is no individual name z such that 
C(z) and r(x,z) are in A. 

Action: A' := Au{C(y), r(x, y)} where y is an individual name not occurring in A. 
The — »v-rule 

Condition: A contains (Vr.C)( x) and r(x,y), but it does not contain C(y). 
Action: A' := A U {C(y)}. 



Fig. 1 . Transformation rules of the satisfiability algorithm for ACC. 



transformation rules (see Fig. 1) to this ABox. The transformation rule that 
handles disjunction is nondeterministic in the sense that a given ABox is trans- 
formed into two new ABoxes such that the original ABox is consistent iff one 
of the new ABoxes is so. For this reason we will consider finite sets of ABoxes 
S = {A ±, . . . , Ak} instead of single ABoxes. Such a set is consistent iff there is 
some i, 1 < i < k, such that At is consistent. A rule of Fig. 1 is applied to a 
given finite set of ABoxes S as follows: it takes an element A of S, and replaces 
it by one ABox A! or by two ABoxes A! and A " . 

Definition 3. An ABox A is called complete iff none of the transformation 
rules of Fig. 1 applies to it. The ABox A contains a clash iff {P(x),^P(x)} C A 
for some individual name x and some concept name P. An ABox is called closed 
if it contains a clash, and open otherwise. 

The satisfiability algorithm for ACC works as follows. It starts with the 
singleton set of ABoxes {{Co(:co)}}, and applies the rules of Fig. 1 (in arbitrary 
order) until no more rules apply. It answers “satisfiable” if the set S of ABo- 
xes obtained this way contains an open ABox, and “unsatisfiable” otherwise. 
Correctness of this algorithm is an easy consequence of the following lemma. 

Lemma 1 . Let Co be an ACC-concept. in negation normal form. 

1. There cannot be an infinite sequence of rule applications 



{{Co^o)}} — > — » 1S2 — t ■ ■ ■ . 



2. Assume that S' is obtained from the finite set of ABoxes S by application of 
a transformation rule. Then S is consistent iff S' is consistent. 
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3. Any closed ABox A is inconsistent. 

f. Any complete and open ABox A is consistent. 

The first part of this lemma (termination) is an easy consequence of the facts 
that (i) all concept assertions occurring in an ABox in one of the sets S, are of 
the form C( x) were C is a subdescription of Co; and (ii) if an ABox in Si contains 
the role assertion r(x, y), then the maximal role depth (i.e., nesting of value and 
existential restrictions) of concept descriptions occurring in concept assertions 
for y is strictly smaller than the maximal role depth of concept descriptions 
occurring in concept assertions for x. A detailed proof of termination (using an 
explicit mapping into a well-founded ordering) for a set of rules extending the 
one of Fig. 1 can, e.g., be found in [4]. 

The second and third part of the lemma are quite obvious, and the fourth 
part can be proved by defining the canonical interpretation I a induced by A: 

1. The domain A Ia of I a consists of all the individual names occurring in A. 

2. For all concept names P we define P Ia := {a; | P(x) £ A}. 

3. For all role names r we define r lA := {(x,y) | r(x,y) £ A}. 

By definition, I a satisfies all the role assertions in A. By induction on the 
structure of concept descriptions, it is easy to show that it satisfies the concept 
assertions as well, provided that A is complete and open. 

It is also easy to show that the canonical interpretation has the shape of a 
finite tree whose depth is linearly bounded by the size of Co and whose branching 
factor is bounded by the number of different existential restrictions in Co- Con- 
sequently, ACC has the finite tree model property, i.e., any satisfiable concept 
Co is satisfiable in a finite interpretation I that has the shape of a tree whose 
root belongs to Co- 

To sum up, we have seen that the transformation rules of Fig. 1 reduce 
satisfiability of an ACC- concept Co (in NNF) to consistency of a finite set S of 
complete ABoxes. In addition, consistency of S can be decided by looking for 
obvious contradictions (clashes). 

Theorem 1. It is decidable whether or not an ACC -concept is satisfiable. 



Complexity issues. The satisfiability algorithm for ACC presented above may 
need exponential time and space. In fact, the size of the complete and open 
ABox (and thus of the canonical interpretation) built by the algorithm may be 
exponential in the size of the concept description. For example, consider the 
descriptions C n (n > 1) that are inductively defined as follows: 



Ci := 3 r.A n 3 r.B, 

C n + 1 := 3 r.A n 3 r.B (3 Vr.C n . 



Obviously, the size of C„ grows linearly in n. However, given the input descrip- 
tion C n , the satisfiability algorithm generates a complete and open ABox whose 
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canonical interpretation is a binary tree of depth n, and thus consists of 2 n+1 — 1 
individuals. 

Nevertheless, the algorithm can be modified such that it needs only poly- 
nomial space. The main reason is that different branches of the tree model to 
be generated by the algorithm can be investigated separately, and thus the tree 
can be built and searched in a depth-first manner. Since the complexity class 
NPSPACE coincides with PSPACE [46], it is sufficient to describe a nondeter- 
ministic algorithm using only polynomial space, i.e. , for the nondeterministic 
— > u -rule, we may simply assume that the algorithm chooses the correct alterna- 
tive. In principle, the modified algorithm works as follows: it starts with {Co(:ro)} 
and 

1. applies the — » n - and — ►□-rules as long as possible and checks for clashes; 

2. generates all the necessary direct successors of xq using the — >g-rule and 
exhaustively applies the — >v-rule to the corresponding role assertions; 

3. successively handles the successors in the same way. 

Since the successors of a given individual can be treated separately, the algorithm 
needs to store only one path of the tree model to be generated, together with 
the direct successors of the individuals on this path and the information which 
of these successors must be investigated next. Since the length of the path is 
linear in the size of the input description Co, and the number of successors is 
bounded by the number of different existential restrictions in Co, the necessary 
information can obviously be stored within polynomial space. 

This shows that the satisfiability problem for ACC- concept descriptions is 
in PSPACE. PSPACE-hardness can be shown by a reduction from validity of 
Quantified Boolean Formulae [50]. 

Theorem 2. Satisfiability of ACC -concept descriptions is PSPACE-complete. 

The consistency problem for AXC-ABoxes. The satisfiability algorithm 
described above can also be used to decide consistency of A£C-ABoxes. Let Ao 
be an A£C-ABox such that (w.l.o.g.) all concept descriptions in A are in NNF. 
To test Ao for consistency, we simply apply the rules of Fig. 1 to the singleton 
set {Ao}. It is easy to show that Lemma 1 still holds. Indeed, the only point that 
needs additional consideration is the first one (termination). Thus, the rules of 
Fig. 1 yield a decision procedure for consistency of ATC-ABoxes. 

Since now the canonical interpretation obtained from a complete and open 
ABox need no longer be of tree shape, the argument used to show that the sa- 
tisfiability problem is in PSPACE cannot directly be applied to the consistency 
problem. In order to show that the consistency problem is in PSPACE, one can, 
however, proceed as follows: In a pre- completion step, one applies the transfor- 
mation rules only to old individuals (i.e., individuals present in the original ABox 
Ao). Subsequently, one can forget about the role assertions, i.e., for each indivi- 
dual name in the pre-completed ABox, the satisfiability algorithm is applied to 
the conjunction of its concept assertions (see [25] for details). 

Theorem 3. Consistency of ACC-ABoxes is PSPACE-complete. 




Tableau Algorithms for Description Logics 



9 



4 Number Restrictions 

Before treating the qualified number restrictions introduced in Section 2, we 
consider a restricted form of number restrictions, which is the form present in 
most DL systems. In unqualified number restrictions, the qualifying concept is 
the top concept T, where T is an abbreviation for PU->P, i.e., a concept that is 
always interpreted by the whole interpretation domain. Instead of (^nr.T) and 
(^nr.T), we write unqualified number restrictions simply as (^nr) and (^nr). 
The DL that extends ACC by unqualified number restrictions is denoted by 
ACCM. 

Obviously, ACCM- and ACC Q-concept descriptions can also be transformed 
into NNF in linear time. 



4.1 A Tableau Algorithm for ACCM 

The main idea underlying the extension of the tableau algorithm for ACC to 
ACCM is quite simple. At-least restrictions are treated by generating the requi- 
red role successors as new individuals. At-most restrictions that are currently 
violated are treated by (nondeterministically) identifying some of the role suc- 
cessors. To avoid running into a generate-identify cycle, we introduce explicit 
inequality assertions that prohibit the identification of individuals that were 
introduced to satisfy an at-least restriction. 

Inequality assertions are of the form x fl y for individual names x, y, with 
the obvious semantics that an interpretation I satisfies x y iff x x ^ y 1 . These 
assertions are assumed to be symmetric, i.e., saying that x y belongs to an 
ABox A is the same as saying that y fl x belongs to A. 

The satisfiability algorithm for ACCM is obtained from the one for ACC by 
adding the rules in Fig. 2, and by considering a second type of clashes : 

- {(^nr)(a:)} U {r(x,yi) \l<i<n+l}U{yi^yj\l<i<j<n+l}CA 
for x, 2 / 1 , . . . , y n +i £ Nj, r € Nr, and a nonnegative integer n. 

The nondeterministic — ><-rule replaces the ABox A by finitely many new ABo- 
xes Aij. Lemma 1 still holds for the extended algorithm (see e.g. [7], where this 
is proved for a more expressive DL). This shows that satisfiability (and thus also 
subsumption) of ACCM-concept descriptions is decidable. 



Complexity issues. The ideas that lead to a PSPACE algorithm for ACC can 
be applied to the extended algorithm as well. The only difference is that, before 
handling the successors of an individual (introduced by at-least and existential 
restrictions), one must check for clashes of the second type and generate the 
necessary identifications. However, this simple extension only leads to a PSPACE 
algorithm if we assume the numbers in at-least restrictions to be written in base 
1 representation (where the size of the representation coincides with the number 
represented). For bases larger than 1 (e.g., numbers in decimal notation), the 
number represented may be exponential in the size of the representation. Thus, 
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The — »>-rule 

Condition: A contains (~^nr)(x), and there are no individual names z 1 ,... ,z n 
such that r(x, Zi) (1 < i < n) and Zi ^ Zj (1 <i<j< n) are contained in A. 

Action: A' := A U {r(x,yi) | 1 < * < n} U {yi ^ yj | 1 < i < j < n}, where 
j/i , . . . , y n are distinct individual names not occurring in A. 

The — ><-rule 

Condition: A contains distinct individual names y i, . . . , y n +i such that (^nr)( x) 
and r(x, yi), . . . , r(x, y n +i) are in A, and yi ^ yj is not in A for some i A j. 

Action: For each pair yi,yj such that i < j and yi ^ yj is not in A, the ABox 
Ai,j ’■= [yi/yj\A is obtained from A by replacing each occurrence of yi by yj. 



Fig. 2. The transformation rules handling unqualified number restrictions. 



we cannot introduce all the successors required by at-least restrictions while only 
using space polynomial in the size of the concept description if the numbers in 
this description are written in decimal notation. 

It is not hard to see, however, that most of the successors required by the at- 
least restrictions need not be introduced at all. If an individual x obtains at least 
one r-successor due to the application of the — ^g-rule, then the — >->-rule need not 
be applied to x for the role r. Otherwise, we simply introduce one r-successor 
as representative. In order to detect inconsistencies due to conflicting number 
restrictions, we need to add another type of clashes: {(^nr)(:r), (^mr)(i)} C A 
for nonnegative integers n < m. The canonical interpretation obtained by this 
modified algorithm need not satisfy the at-least restrictions in Cq. However, it 
can easily by modified to an interpretation that does, by duplicating r-successors 
(more precisely, the whole subtrees starting at these successors). 

Theorem 4. Satisfiability of ACC Af -concept descriptions is PSPACE-complete. 



The consistency problem for A.CCJ\f-ABoxes. Just as for ACC. the exten- 
ded rule set for ACCM can also be applied to arbitrary ABoxes. Unfortunately, 
the algorithm obtained this way need not terminate, unless one imposes a specific 
strategy on the order of rule applications. For example, consider the ABox 

Aq := {r(a, a), (3r.P)(a), «lr)(a), (Vr.3r.P)(a)}. 

By applying the — f-g-rule to a, we can introduce a new r-successor x of a: 

A\ := Aq U {r(a, x), P{x)}. 

The — f-y-rule adds the assertion (3r.P)(a:), which triggers an application of the 
— >g-rule to x. Thus, we obtain the new ABox 



A 2 := A i U {(3r.P)(x), r(x, y), P(y)j. 
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The — t c hoose- r ule 



Condition: A contains nr.C)(x ) and r(x,y ), but neither C(y) nor -> C(y). 

Action: A' := A U {C'(y)}, A" := A U {—><17 (j/)} - 



Fig. 3. The — Ahoose~ ru l e f° r qualified number restrictions. 



Since a has two r-successors in A 3 , the — ><-rule is applicable to a. By replacing 
every occurrence of x by a, we obtain the ABox 

A 3 := A 0 U {P(a), r(a,y ), P{y)}. 

Except for the individual names (and the assertion P(a), which is, however, 
irrelevant), A 3 is identical to A\ . For this reason, we can continue as above to 
obtain an infinite chain of rule applications. 

We can easily regain termination by requiring that generating rules (i.e., the 
rules — 13 and — !>) may only be applied if none of the other rules is applicable. 
In the above example, this strategy would prevent the application of the — Sa- 
rnie to x in the ABox A\ U {(3r.P)(;r)} since the — >-<-rule is also applicable. 
After applying the — ><-rule (which replaces x by a), the — ig-rule is no longer 
applicable since a already has an r-successor that belongs to P. 

In order to obtain a PSPACE algorithm for consistency of ACCA/’-ABoxes, 
the pre-completion technique sketched above for ACC can also be applied to 
ACCAf [25], 

Theorem 5. Consistency of ACCAf -ABoxes is PSPACE-complete. 

4.2 A Tableau Algorithm for ACCQ 

An obvious idea when attempting to extend the satisfiability algorithm for 
ACCAf to one that can handle ACCQ is the following (see [53]): 

— Instead of simply generating n new r-successors y 1 , . . . , y n in the — >>-rule, 
one also asserts that these individuals must belong to the qualifying concept 
C by adding the assertions C{yi) to A' . 

- The — ><-rule only applies if A also contains the assertions C{yf) (1 < i < 
n + 1). 

Unfortunately, this does not yield a correct algorithm for satisfiability in ACCQ. 
In fact, this simple algorithm would not detect that the concept description 
(^3r) n (^lr.P) n (^lr.->P) is unsatisfiable. The (obvious) problem is that, 
for some individuals a and concept descriptions C , the ABox may neither con- 
tain C(a) nor -iC(a), whereas in the canonical interpretation constructed from 
the ABox, one of the two must hold. In order to overcome this problem, the 
nondeterministic — Uhoose-rule of Fig. 3 must be added [26]. Together with the 
— Ahoose-rule, the simple modification of the — >>- and — ><-rule described above 
yields a correct algorithm for satisfiability in ACC Q [26] . 
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Complexity issues. The approach that leads to a PSPACE-algorithm for ACC 
can be applied to the algorithm for ACCQ as well. However, as with ACCM , this 
yields a PSPACE-algorithm only if the numbers in number restrictions are assu- 
med to be written in base 1 representation. For ACCQ , the idea that leads to a 
PSPACE-algorithm for ACCM with decimal notation does no longer work: it is 
not sufficient to introduce just one successor as representative for the role suc- 
cessors required by at-least restrictions. Nevertheless, it is possible to design a 
PSPACE-algorithm for ACCQ also w.r.t. decimal notation of numbers [52]. Like 
the PSPACE-algorithm for ACC , this algorithm treats the successors separately. 
It uses appropriate counters (and a new type of clashes) to check whether quali- 
fied number restrictions are satisfied. By combining the pre-completion approach 
of [25] with this algorithm, we also obtain a PSPACE-result for consistency of 
ACC Q-ABoxes. 

Theorem 6. Satisfiability of ACCQ- concept descriptions as well as consistency 
of ACCQ- A Boxes are PSPACE-complete problems. 

5 Terminological Axioms 

DLs systems usually provide their users also with a terminological formalism. 
In its simplest form, this formalism can be used to introduce names for complex 
concept descriptions. More general terminological formalisms can be used to 
state connections between complex concept descriptions. 

Definition 4. A TBox is a finite set of terminological axioms of the form C = 
D, where C,D are concept descriptions. The terminological axiom C = D is 
called concept definition iff C is a concept name. 

An interpretation I is a model of the TBox T iff C x = D x holds for all 
terminological axioms C = D in T. 

The concept description D subsumes the concept description C w.r.t. the 
TBox T (C Cj- D) iff C x C D x for all models T ofT; C is satisfiable w.r.t. T 
iff there exists a model I ofT such that C x ^ 0. The A box A is consistent w.r.t. 
T iff it has a model that is also a model of T. The individual a is an instance 
of C w.r.t. A and T iff a 1 € C x holds for each model I of A and T ■ 

In the following, we restrict our attention to terminological reasoning (i.e. , 
the satisfiability and subsumption problem) w.r.t. TBoxes; however, the me- 
thods and results also apply to assertional reasoning (i.e., the instance and the 
consistency problem for ABoxes). 



5.1 Acyclic Terminologies 

The early DL systems provided TBoxes only for introducing names as abbrevia- 
tions for complex descriptions. This is possible with the help of acyclic termino- 
logies. 




Tableau Algorithms for Description Logics 



13 



Definition 5. A TBox is an acyclic terminology iff it is a set of concept defi- 
nitions that neither contains multiple definitions nor cyclic definitions. Multiple 
definitions are of the form A = C, A = D for distinct concept descriptions C 1 D, 
and cyclic definitions are of the form A\ = C\, . . . , A n = C n , where A, ; occurs 
in Ci- 1 (1 < i < n) and Ai occurs in C n . If the acyclic terminology T contains 
a concept definition A = C, then A is called defined name and C its defining 
concept . 

Reasoning w.r.t. acyclic terminologies can be reduced to reasoning without 
TBoxes by unfolding the definitions: this is achieved by repeatedly replacing 
defined names by their defining concepts until no more defined names occur. 
Unfortunately, unfolding may lead to an exponential blow-up, as the following 
acyclic terminology (due to Nebel [39]) demonstrates: 

{A 0 = Vr.Ai n Vs.Ai, . . . , A„_i A Vr.A„ n Vs.A„}. 

This terminology is of size linear in n, but unfolding applied to A 0 results in 
a concept description containing the name A n 2 n times. Nebel [39] also shows 
that this complexity can, in general, not be avoided: for the DL J-Cq, which 
allows for conjunction and value restriction only, subsumption between concept 
descriptions can be tested in polynomial time, whereas subsumption w.r.t. acyclic 
terminologies is coNP-complete. 

For more expressive languages, the presence of acyclic TBoxes may or may 
not increase the complexity of the subsumption problem. For example, subsump- 
tion of concept descriptions in the language ACC is PSPACE-complete, and so 
is subsumption w.r.t. acyclic terminologies [34]. Of course, in order to obtain 
a PSPACE-algoritlrm for subsumption in ACC w.r.t. acyclic terminologies, one 
cannot first apply unfolding to the concept descriptions to be tested for sub- 
sumption since this may need exponential space. The main idea is that one uses 
a tableau algorithm like the one described in Section 3, with the difference that 
it receives concept descriptions containing defined names as input. Unfolding is 
then done on demand : if the tableau algorithm encounters an assertion of the 
form A(x), where A is a name occurring on the left-hand side of a definition 
A = C in the terminology, then it adds the assertion C( x). However, it does not 
further unfold C at this stage. It is not hard to show that this really yields a 
PSPACE-algorithm for satisfiability (and thus also for subsumption) of concepts 
w.r.t. acyclic terminologies in ACC [34]. 

Theorem 7. Satisfiability w.r.t. acyclic terminologies is PSPACE-complete in 

ACC. 

Although this technique also works for many extensions of ACC (such as 
ACCAf and ACCQ ), there are extensions for which it fails. One such example 
is the language ACCiF, which extends ACC by functional roles as well as agree- 
ments and disagreements on chains of functional roles (see, e.g., [34] for the de- 
finition of these constructors). Satisfiability of concept descriptions is PSPACE- 
complete for this DL [27], but satisfiability of concept descriptions w.r.t. acyclic 
terminologies is NEXPTIME-complete [34]. 
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5.2 General TBoxes 

For general terminological axioms of the form C == D, where C may also be a 
complex description, unfolding is obviously no longer possible. Instead of con- 
sidering finitely many such axiom C\ = Di, . . . ,C n = D n , it is sufficient to 
consider the single axiom C = T, where 

C := (-.Ci u Di) n (Ci u -,Dx) n • • • n (-.C n u D n ) n {C n u -.£>„) 

and T is an abbreviation for P U -i P. 

The axiom C = T just says that any individual must belong to the concept 
C . The tableau algorithm for ACC introduced in Section 3 can easily be modified 
such that it takes this axiom into account: all individuals are simply asserted to 
belong to C . However, this modification may obviously lead to nontermination 
of the algorithm. 

For example, consider what happens if this algorithm is applied to test con- 
sistency of the ABox Ao := {(3r.P)(xo)} modulo the axiom 3 r.P = T: the 
algorithm generates an infinite sequence of ABoxes A\ , A 2 , ■ ■ . and individuals 
Xi,X2,--- such that Aj+i := Ai U {r(xi, aq+i), P(xi + ±), (3r.P)(£ i+:L )}. Since all 
individuals X{ ( i > 1 ) receive the same concept assertions as aq, we may say that 
the algorithms has run into a cycle. 

Termination can be regained by trying to detect such cyclic computations, 
and then blocking the application of generating rules: the application of the 
rule — >3 to an individual x is blocked by an individual y in an ABox A iff 
{D | D(x) CA}Q {£>' | D'(y) £ A}. The main idea underlying blocking is that 
the blocked individual x can use the role successors of y instead of generating new 
ones. For example, instead of generating a new r-successor for x 2 in the above 
example, one can simply use the r-successor of x\. This yields an interpretation X 
with A 1 := {xo, xpaq}, P 1 ~ {xi,x 2 }, and r 1 := {(£ 0 ,£i), (x 1 ,x 2 ),(x 2 ,x 2 )}. 
Obviously, X is a model of both Ao and the axiom 3r.P = T. 

To avoid cyclic blocking (of x by y and vice versa), we consider an enu- 
meration of all individual names, and define that an individual x may only be 
blocked by individuals y that occur before x in this enumeration. This, together 
with some other technical assumptions, makes sure that a tableau algorithm 
using this notion of blocking is sound and complete as well as terminating both 
for ACC and ACCM (see [14,2] for details). 

Theorem 8. Consistency of ACCM- ABoxes w.r.t. TBoxes is decidable. 

It should be noted that the algorithm is no longer in PSPACE since it may 
generate role paths of exponential length before blocking occurs. In fact, even 
for the language ACC , satisfiability modulo general terminological axioms is 
known to be EXPTIME-complete [48]. 

Blocking does not work for all extensions of ACC that have a tableau-based 
satisfiability algorithm. An example is again the DL ACCT , for which satisfia- 
bility is decidable, but satisfiability w.r.t. general TBoxes undecidable [40,3]. 
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6 Expressive Roles 

The DLs considered until now allowed for atomic roles only. There are two ways 
of extending the expressivity of DLs w.r.t. roles: adding role constructors and 
allowing to constrain the interpretation of roles. 

Role constructors can be used to build complex roles from atomic ones. In 
the following, we will restrict our attention to the inverse constructor, but other 
interesting role constructors have been considered in the literature (e.g., Boolean 
operators [15] or composition and transitive closure [1,47]). The inverse r~ of a 
role name r has the obvious semantics: (r - ) 1 := {(y,x) \ (x,y) £ r 1 }. 

Constraining the interpretation of roles is very similar to imposing frame con- 
ditions in modal logics. One possible such constraint has already been mentioned 
in the previous section: in ACCT the interpretation of some roles is required to 
be functional. Here, we will consider transitive roles and role hierarchies. In a 
DL with transitive roles , a subset of the set of all role names Nr is fixed 
[45]. Elements of must be interpreted by transitive binary relations. (This 
corresponds to the frame condition for the modal logic K 4 .) A role hierarchy is 
given by a finite set of role inclusion axioms of the form r C s for roles r, s. 
An interpretation X satisfies the role hierarchy hi iff r 1 C s 1 holds for each 
r Q s £R. 

DLs with transitive roles and role hierarchies have the nice property that 
reasoning w.r.t. TBoxes can be reduced to reasoning without TBoxes using a 
technique called internalisation [3,30,32]. Like in Section 5.2, we may assume 
that TBoxes are of the form T = {C = T}. In SR , the extension of ACC with 
transitive roles and role hierarchies, we introduce a new transitive role name 
u and assert in the role hierarchy that it is a super-role of all roles occurring 
in C and the concept description Co to be tested for satisfiability. Then, Co 
is satisfiable w.r.t. T iff C n C n Vu.C is satisfiable. Extending this reduction 
to inverse roles consists simply in making u also a super-role of the inverse 
of each role occurring in C or Co [32]. This reduction shows that a tableau 
algorithm for SR must also employ some sort of blocking to ensure termination 
(see Section 5.2). 

Things become even more complex if we consider the DL SRXT, which 
extends SR by the inverse of roles and functional roles. In fact, it is easy to 
show that SRXT no longer has the finite model property, i.e. , there are satis- 
fiable SRXT-concept descriptions that are not satisfiable in a finite interpreta- 
tion [32]. Instead of directly trying to construct an interpretation that satisfies 
Cq (which might be infinite), the tableau algorithm for SRXT introduced in 
[32,33] first tries to construct a so-called pre-model , i.e., a structure that can be 
“unravelled” to a (possibly infinite) canonical (tree) interpretation. To ensure 
termination (without destroying correctness), the algorithm employs blocking 
techniques that are more sophisticated than the one described in Section 5.2. In- 
terestingly, an optimised implementation of this algorithm in the system I-FaCT 
behaves quite well in realistic applications [33]. A refinement of the blocking 
techniques employed for SRXT can be used to prove that satisfiability in SX 
(i.e., the extension of ACC by transitive and inverse roles) is in PSPACE [51,33]. 
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Finally, let us briefly comment on the difference between transitive roles and 
transitive closure of roles. Transitive closure is more expressive, but it appears 
that one has to pay dearly for this. In fact, whereas there exist quite efficient im- 
plementations for very expressive DLs with transitive roles, inverse roles, and role 
hierarchies (see above), no such implementations are known (to us) for closely 
related logics with transitive closure, such as converse-PDL (which is a notatio- 
nal variant of the extension of ACC by transitive closure, union, composition, 
and inverse of roles [47]). One reason could be that the known tableau algorithm 
for converse-PDL [22] requires a “cut” rule, which is massively nondeterministic, 
and thus very hard to implement efficiently. An other problem with transitive 
closure is that a blocked individual need no longer indicate “success” , as is the 
case in DLs with transitive roles (see, e.g., the discussion of “good” and “bad” 
cycles in [1]). 
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Abstract. Two things are done in this paper. First, a modal logic in 
which one can quantify over both objects and concepts is presented; a 
semantics and a tableau system are given. It is a natural modal logic, ex- 
tending standard versions, and capable of addressing several well-known 
philosophical difficulties successfully. Second, this modal logic is used to 
introduce a rather different way of looking at relational databases. The 
idea is to treat records as possible worlds, record entries as objects, and 
attributes as concepts, in the modal sense. This makes possible an intui- 
tively satisfactory relational database theory. It can be extended, by the 
introduction of higher types, to deal with multiple- valued attributes and 
more complex things, though this is further than we take it here. 



1 Introduction 

A few years ago my colleague, Richard Mendelsohn, and I finished work on our 
book, “First-Order Modal Logic,” [2]. In it, non-rigidity was given an exten- 
sive examination, and formal treatments of definite descriptions, designation, 
existence, and other issues were developed. I next attempted an extension to 
higher-order modal logic. After several false starts (or rather, unsatisfactory 
finishes) this was done, and a book-length manuscript is on my web page in- 
viting comments, [1], Carrying out this extension, in turn, led me to rethink 
the first-order case. There were two consequences. First, I came to realize that 
the approach in our book could be extended, without leaving the first-order le- 
vel, to produce a quite interesting logic with a natural semantics and a tableau 
proof procedure. And second, I realized that this modal logic provided a natural 
alternative setting for relational databases, which are usually treated using first- 
order classical logic. In this paper I want to sketch both the modal logic and its 
application to databases. 

In a full treatment of first-order modal logic, one must be able to discourse 
about two kinds of things: individual objects and individual concepts. “George 
Washington” and “Millard Fillmore” denote individual objects, while “the Presi- 
dent of the United States” denotes an individual concept, which in turn denotes 
various individuals at different times. Or again, at the time I am writing this 
the year is 2000. This particular year is an individual object. “The current year” 
is an individual concept, and will not always denote 2000. In [2] we had quan- 
tifiers ranging over individual objects, and constant symbols with values that 
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were individual concepts. That was a good combination to elucidate a number 
of well-known philosophical problems, but it is not a full picture. In this paper 
the formal system presented will have quantifiers over individual objects, and 
also a second kind of quantifier ranging over individual concepts. Likewise there 
will be two kinds of constant symbols. The system of [2] can be embedded in the 
present one. (Of course this is only approximate. In our book we had function 
symbols, and we do not have them here. There are other differences as well, but 
the embedability claim is essentially correct.) I’ll begin with a presentation of 
the logic, and then consider its applications to databases. 

In a sense, using the modal logic of this paper to supply a semantics for rela- 
tional databases does not give us anything new. We are able to treat things that, 
previously, had been treated using classical first-order logic. The modal point of 
view is substantially different, and hence interesting, but does not expand our 
concept of relational database. The real significance lies in what comes next, 
just after the conclusion of this paper. The modal logic presented here is the 
first-order fragment of a higher-order modal logic, with both extensional and in- 
tensional objects at each level. When such a logic is applied to database theory, 
we get a natural setting within which to model multiple-valued relations, relati- 
ons having a field whose values are sets of attributes, and more complex things 
yet. Think of the present paper, then, as providing a different point of view on 
what is generally understood, and as signaling the approach of an extension, 
which can be glimpsed down the road. 

2 Syntax 

The syntax of this version of first-order modal logic is a little more complex than 
usual, and so some care must be taken in its presentation. 

There are infinitely many variables and constants, in each of two categories: 
individual objects and individual concepts. I’ll use lowercase Latin letters x, y, 
z as object variables, and lowercase Greek letters a, (3, 7 as concept variables. 
(Based on the notion that the ancient Greeks were the theoreticians, while the 
Romans were the engineers.) The Greek letter g, with or without subscripts, 
represents a variable of either kind. For constants, I’ll use lowercase Latin letters 
such as a, b , c for both kinds, and leave it to context to sort things out. 

Definition 1 (Term). A constant symbol or a variable is a term. It is an 
object term if it is an individual object variable or constant symbol. Similarly 
for concept terms. 

If t is a concept term, ft is an object term. It is called a relativized term. 

The idea is, if t is a concept term, ft is intended to designate the object 
denoted by t, in a particular context. Sometimes I’ll refer to j. as the evaluate at 
operator. 

Since there are two kinds of variables and constants, assigning an arity to 
relation symbols is not sufficient. By a type I mean a finite sequence of o’ s and c’s, 
such as (c, o, c). Think of an o as marking an object position and a c as marking 
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a concept position. There are infinitely many relation symbols of each type. In 
particular there is an equality symbol, =, of type (o, o). That is, equality is a 
relation on individual objects. One could also introduce a notion of equality for 
individual concepts, but it will not be needed here. I allow the empty sequence 
() as a type. It corresponds to what are sometimes called propositional letters, 
taking no arguments. 

Definition 2 (Formula). The set of formulas, and their free variables, is de- 
fined as follows. 

1. If P is a relation symbol of type (), it is an atomic formula, and has no free 
variables. 

2. Suppose R is a relation symbol of type (n\, n 2 , . . . , n\f) and t\, < 2 . • • • . tfc is 
a sequence of terms such that U is an individual object term if ni = o and 
is an individual concept term if ni = c. Then R(t\,t 2 , ■ ■ ■ ,tk) is an atomic 
formida. Its free variables are the variable occurrences that appear in it. 

3. if X is a formula, so are ~>X, OX, and <>X. Free variable occurrences are 
those of X. 

f. If X and Y are formulas, so are ( X A Y), (I V K), and ( X D Y). Free 
variable occurrences are those of X together with those ofY. 

5. If X is a formula and g is a variable (of either kind), (Vg)X and (3g)X are 
formulas. Free variable occurrences are those of X, except for occurrences of 
Q- 

6. If X is a formida, g is a variable (again of either kind), and t is a term 
of the same kind as g, (A g.X)(t) is a formula. Free variable occurrences are 
those of X, except for occurrences of g, together with those oft. 

As usual, parentheses will be omitted from formulas to improve readability. 
Also = (x, y) will be written as x = y. And finally, a formula like 

(Api.(Ap2-(Ae3.A)(t 3 ))(t 2 ))(ti) 

will be abbreviated by the simpler expression 

(Af?i, Q 2 , Q3-X) (fl, t 2 , < 3 ) 

and similarly for other formulas involving iterated abstractions. 



3 Semantics 

I will only formulate an S5 logic — the ideas carry over directly to other logics, 
but S5 is simplest, the ideas are clearest when stated for it, and it is all that is 
actually needed for databases. 

Frames essentially disappear, since we are dealing with S5. A model has a 
set of possible worlds, but we can take every world to be accessible from every 
other, and so no explicit accessibility relation is needed. 
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The usual constant/ varying domain dichotomy is easily ignored. For first- 
order modal logics generally, a constant domain semantics can simulate a varying 
domain version, through the use of an explicit existence predicate and the rela- 
tivization of quantifiers to it. Here I’ll take object domains to be constant — not 
world dependent — which makes things much simpler. 

Since the language has two kinds of terms, we can expect models to have 
two domains — two sorts, in other words. There will be a domain of individual 
objects, and a domain of individual concepts. Concepts will be functions, from 
possible worlds to individual objects. It is not reasonable, or desirable, to insist 
that all such functions be present. After all, if there are countably many possible 
worlds, there would be a continuum of such concept functions even if the set of 
individual objects is finite, and this probably cannot be captured by a proof 
procedure. But anyway, the notion of an individual concept presupposes a kind 
of coherency for that individual concept — not all functions would be acceptable 
intuitively. I simply take the notion of individual concept as basic; I do not try 
to analyize any coherency condition. It is allowed that some, not necessarily all, 
functions can serve as individual concepts. 

Definition 3 (Model). A model is a structure A4 = {Q ,'D 01 'D C ,I) , where: 

1. Q is a non-empty set, of possible worlds; 

2. V 0 is a non-empty set, of individual objects; 

3. V c is a non-empty set of functions from Q to V 0 , called individual concepts; 

j. X is a mapping that assigns: 

a) to each individual object constant symbol some member ofV 0 ; 

b) to each individual concept constant symbol some member ofV c ; 

c) to each relation symbol of type () a mapping from Q to {false, true}; 

d) to each relation symbol of type {n\,U 2 , • • • , nu) a mapping from Q to the 
power set ofD ni x V n2 x • • • x V nk . It is required thatX(=) be the constant 
mapping that is identically the equality relation on V 0 . 

Some preliminary machinery is needed before truth in a model can be cha- 
racterized. 

Definition 4 (Valuation). A valuation v in a model M. is a mapping that 
assigns to each individual object variable some member ofT> 0 , and to each indi- 
vidual concept variable some member ofV c . 



Definition 5 (Value At). Let A4 = (G ,T> 0 ,T> C ,I) be a model, and v be a 
valuation in it. A mapping ( v *X ) is defined, assigning a meaning to each term, 
at each possible world. Let r £ Q . 

1. If q is a variable, (v *X)(g,r) =v(g). 

2. If c is a constant symbol, (v *T)(c, T) =X(c). 

3. If ji is a relativized term, (v*X)({t, T) = (v * I)(t)(T). 
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Item 3 is especially significant. If ft is a relativized term, t must be a constant 
or variable of concept type, and so (v * I) ( t ) has been defined for it in parts 1 
and 2, and is a function from worlds to objects. Thus (v *X)(t)(P) is a member 
of V a . 

Now the main notion, which is symbolized by A4, r lb„ <&, and is read: formula 
L> is true in model A4, at possible world P, with respect to valuation v. To make 
reading easier, the following special notation is used. Let f?i, . . . , £>fc be variables 
of any type, and let d\, . . . , d k be members of U P c , with di 6 V a if the 
variable g t is of object type, and di € V c if gi is of concept type. Then 

M,r\\- V <P[g 1 /di,... ,Qk/dk] 

abbreviates: Ai,T lb„/ where v' is the valuation that is like v on all variables 
except pi, ... , £>fc, and v'(gi) = di, .... , v'(g k ) = d k . 

Here is the central definition. For simplicity, take V, D, 3, and O as defined 
symbols, in the usual way. 

Definition 6 (Truth in a Model). Let Af = (Q ,T> 0 ,T> C ,I) be a model, and v 
be a valuation in it. 

1. If P is of type (), M,T lb„ P iff X{P){r) = true. 

2. If R(ti , . . . , t k ) is atomic, M, r lb„ R{t \, ... , t k ) iff 

((v*T)(t u r),-.- ,(v*X)(t h ,r)) sx(R)(r). 

3. M,r\\- V ^ iff M,r\f v $. 

4- M,r\\- V <?>Af iff M,r\h v <P andM,r lh„ <P. 

5. M,T Ib^ (f/x)I> iff M,T lb„ d>[x/d } for all d £ V 0 . 

6. M,T lb„ (Va)^ iff M, r lb^ I>[a/d] for all d G V c . 

1. M,T lb„ □<? iff M, A\\- v I> for all A eg. 

8. M., r lb„ (Xg.I>)(t) if M, T lb„ <P[g/d), where d = (v * I)(t, T) . 

Definition 7 (Validity). A closed formula X is valid in a model if it is true 
at every world of it. 

A notion of consequence is a little more complicated because, in modal set- 
tings, it essentially breaks in two. These are sometimes called local and global 
consequence notions. For a set S of formulas, do we want X to be true at every 
world at which members of S are true (local consequence), or do we want X to 
be valid in every model in which members of S are valid (global consequence). 
These have quite different flavors. Fortunately, for S5, the situation is somewhat 
simpler than it is for other modal logics since, to say X is valid in a model is 
just to say OX is true at some world of it. So, if we have a notion of local con- 
sequence, we can define a corresponding global consequence notion simply by 
introducing necessity symbols throughout. So, local consequence is all we need 
here. 

Definition 8 (Consequence). A closed formida X is a consequence of a set 
S of closed formulas if, in every model, X is true at each world at which all the 
members of S are true. 
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4 Rigidity 

An individual concept term t can vary from world to world in what it designates. 
Call t rigid in a model if it is constant in that model, designating the same object 
at each world. This is a notion that plays an important role in philosophy. For 
instance Kripke [3], among others, asserts that names are rigid designators. The 
notion of rigidity can be captured by a formula. Assume c is an individual concept 
constant symbol in the following. 



(Ax.D(a; =4c))(4c) (1) 

It is quite straightforward to show that (1) is valid in a model if and only if the 
interpretation of c is rigid in that model. In [2] this, in turn, was shown to be 
equivalent to the vanishing of the de re/de dicto distinction, though this will not 
be needed here. 

One can also speak of relativized notions of rigidity. Let us say the interpre- 
tation of c is rigid on a particular subset Qo of the collection Q of possible worlds 
of a model provided it designates the same object throughout Qo- And let us say 
c is rigid relative to d in a model provided the interpretation of c is rigid on any 
subset of worlds on which the interpretation of d is rigid. (Of course, this notion 
applies to individual concept terms that are variables as well. I’m using constant 
symbols just as a matter of convenience.) The notion of c being rigid relative to 
d is captured by formula (2). 



(Xx,y.D[x =\dD y =ic])(id,\c) (2) 

One can also consider more complicated situations. Formula (3) asserts that 
c is rigid relative to the rigidity of d and e jointly. 



{Xx,y,z.U[(x =\d Ay =\e) D z =\c\){\d,\e,\c) (3) 

Finally, one can even say that all individual concepts are rigid relative to 
c. This is done in formula (4). Individual concept quantification is obviously 
essential here. 



(\/a)(Xx,y.n[x =lc D y =\a])(\c,\a) (4) 

5 Databases with a Single Relation 

In this section we begin taking a look at relational databases. What we consider 
is quite basic, and can be found in any textbook on databases — [4] is a good 
source. Relational databases are commonly reasoned about using classical first- 
order logic. I want to show that modal logic is also a natural tool for this purpose. 
For now, only a single relation will be considered — this will be extended later. 
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The record is the basic unit of a relational database, yet it is not a first-class 
object in the sense that it is not something we can get as an answer to a query. 
We could get a record number, perhaps, but not a record. We will take the 
records of a relational database to be the possible worlds of a Kripke model. In 
any standard modal language possible worlds, in fact, cannot be directly spoken 
of. The accessibility relation will be the usual S5 one, though there could be 
circumstances where something more complex might be appropriate. 

Entries that fill fields of a relational database generally can be of several data 
types. To keep things simple, let’s say there is just one data type used for this 
purpose. (In examples I’ll use strings.) Looking at this in terms of modal logic, 
these field entries will be the individual objects of a Kripke model. 

Next come the attributes themselves. If the database is one listing family 
relationships, say, and there is an attribute recording “father-of,” it has a value 
that varies from record to record, but in every case that value is what we have 
taken to be an individual object. In other words, attributes are simply individual 
concepts. 

The next question is, what about things like functional dependencies, keys, 
and so on? Let’s begin with the notion of functional dependency. Say we have 
a relational database in which there are two attributes, call them c and d, and 
c is functionally dependent on d. Then, if we are at an arbitrary possible world 
(record) at which c and d have particular values, at any other world at which 
d has the value it has in this one, c must also have the same value it has in 
this one. This can be expressed by requiring validity of the following formula, in 
which we assume c and d of the Kripke model also occur as individual concept 
constants of the language, and designate themselves. 



(A x,y.n[x =4 d D y =4c])(jd,4c) 

But this is just formula (2), and says c is rigid relative to d. In this case, a 
functional dependency can be expressed by a relative rigidity assertion. 

More complicated functional dependencies also correspond to relative rigidity 
formulas. For instance, if c is functionally dependent on {d, e}, this is expressed 
by (3). 

Next, what about the notion of key si As usually treated, to say an attribute 
c is a key is to say there cannot be two records that agree on the value of c. 
We cannot quite say that, since records cannot directly be spoken of. What we 
can say is that two possible worlds agreeing on the value of c must agree on the 
values of all attributes. More formally, this is expressed by the validity of the 
following formula. 



{ya){\x,y.U[x =4c D y =4a])(4c,ja) 

Note that this is our earlier formula (4). 

Now, what does the design of a relation schema look like from the present 
modal point of view? We must specify the domain for atomic values of the re- 
lation schema. Semantically, that amounts to specifying the set V Q of a modal 
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model. Proof-theoretically, it amounts to saying what the individual object con- 
stant symbols of the formal language are. (I’ll generally assume that constant 
symbols of the language can also occur in models, and designate themselves.) 

Next, we must specify what the attributes for the relation schema are. This 
amounts to specifying the set T> c of a model, or the set of individual concept 
constant symbols of a language. 

Finally, we must impose some constraints, such as requiring that some at- 
tribute or set of attributes be a key, or that various functional dependencies 
must hold. This corresponds to taking appropriate relative rigidity formulas as 
axioms. 

6 A Simple Example 

In this section I’ll show how a simple, standard, example translates into modal 
language both semantically and proof-theoretically. Consider the relation schema 
with five attributes: NAME, SSN, BIRTHDATE, JOBNUMBER, and JDBTITLE. It will be 
assumed that SSN is the primary key, and JOBNUMBER is functionally dependent 

on JOBTITLE. 

We set up a formal language with “NAME,” “SSN,” “BIRTHDATE,” “JOBNUMBER,” 
and “JOBTITLE” as individual concept constant symbols. Then we adopt the fol- 
lowing two constraint axioms. 

1. □(Va)(Ax, y.O[x =jSSN D y =4a])(jSSN, 4a) 

2. D(Ax, 2 /.m[x =jjOBTITLE D y =jj OBNUMBER] ) (jJOBT ITLE , jJ OBNUMBER) 

Table 1 displays a particular relation instance of this relation schema. 



Table 1 . The relation PERSONS 



NAME 


SSN 


BIRTHDATE 


JOBNUMBER 


JOBTITLE 


Adam 


1 


01/06/-4004 


1 


Gardener 


Eve 


2 


01/08/-4004 


2 


Explorer 


Cain 


3 


10/21/-4004 


1 


Gardener 


Abel 


4 


11/05/-4003 


2 


Shepherd 


Seth 


5 


02/04/-3983 


2 


Explorer 



To represent this relation instance as a modal axiomatic theory, we add the 
following to the constraint axioms above; we call them instance axioms. 

3. 0[(jNAME = Adam) A (jSSN = 1) A (jBIRTHDATE = 01/06/-4004) A 
(jJOBNUMBER = 1) A (jJOBTITLE = Gardener)] 

4. 0[()NAME = Eve) A (jSSN = 2) A (.(BIRTHDATE = 01/08/-4004) A 
((JOBNUMBER = 2) A ((JOBTITLE = Explorer)] 

5. 0[((NAME = Cain) A ((SSN = 3) A ((BIRTHDATE = 10/03/-4004) A 
((JOBNUMBER = 1) A ((JOBTITLE = Gardener)] 
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6. 0[(jNAME = Abel) A (jSSN = 4) A (jBIRTHDATE = 08/05/-4003) A 
(jJOBNUMBER = 2) A (JdOBTITLE = Shepherd)] 

7. 0[(jNAME = Seth) A (jSSN = 5) A (jBIRTHDATE = 02/04/-3983) A 
(jJOBNUMBER = 2) A (jJOBTITLE = Explorer)] 

This, of course, assumes individual object constant symbols, “01/06/-4004,” 
“Adam,” and so on have been added to the language. I’ll also assume these sym- 
bols are intended to designate distinct objects. This gives us a (long) list of 
axioms. 

8. -i(l = 2), -'(Adam = Eve), etc. 

Corresponding to this, semantically, we have the following S5 model. There 
are five possible worlds, one for each of the five rows of Table 1; call them 
A, 72,73, A, and r 5 . V Q = {Adam, 1, 01/06/-4004, . . . }. V c = {NAME, SSN, 
BIRTHDATE, JOBNUMBER, JOBTTTLE}, where NAME is the function that maps A 
to Adam, A to Eve, and so on. X(Adam) = Adam, . . . , I(NAME) = NAME, and so on. 

Finally, here are some sample queries, in modal language. First, who are the 
explorers? This corresponds to the following, in which appropriate keys (social 
security numbers) are desired. 

(A;c.O[(jSSN = x) A (jJOBTITLE = Explorer)]) (5) 

Suppose we abbreviate formula (5) by Q. Then, on the one hand, Q(z) is true 
in the modal model we constructed just in case 2 is 2 or 5. On the other hand, 
Q{z) is provable in the axiom system we constructed just in case z is 2 or 5. 
Here is a second sample query: is there more than one gardener? 



(3a;)(3y){0[(jSSN = x) A ({JOBTTTLE = Gardener)] A 

0[(jSSN = y) A ({JOBTITLE = Gardener)] A (6) 

~‘{x = V )} 

Formula (6) is derivable from our axioms, and true in our model. 

7 Connections 

In the example of the previous section we saw that being a consequence of certain 
axioms and being true in a particular model could coincide. Now we examine to 
what extent this is generally the case. 

Suppose we have a relation schema R and a corresponding set of constraints 
concerning keys and functional dependencies. Associated with R is a set of con- 
straint axioms, which I’ll denote axiom)??), consisting of formulas like (2), (3), 
and (4). I’ll omit an exact definition — axioms 1 and 2 of the example in the pre- 
vious section is a sufficient guide. Note that these axioms are either quantifier 
free, or else involve just universal quantifiers, and □ is the only modal operator. 
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Next, suppose we have a relation instance r of the relation schema R — a 
particular set of tuples. Associated with this is a set of instance axioms, all of 
which are quantifier free. Again I omit an exact definition, but axioms 3-7 of the 
previous section illustrate the notion sufficiently. Finally there are distinctness 
axioms , as in axiom 8 of the previous section. By axiom (r) I mean the collection 
of these instance axioms and distinctness axioms, together with the members of 
axiom (R). Clearly, to say r is an instance of R and satisfies the constraints, is 
just to say axiom(r) is a consistent set of model axioms. 

Next, we want a designated modal model to correspond to relation instance 
r. Again, the example of the previous section serves as a guide. We want the 
model, denote it by model (r), meeting the following conditions. The collection 
of possible worlds Q is the collection of tuples in r. The domain T> 0 of individual 
objects is just the collection of table entries in r. The domain T> c of individual 
concepts is the collection of attributes of relation schema R. The interpretation 
X maps each table entry (as a constant of the modal language) to itself (as a 
member of V 0 ). And X maps each attribute ATT to the function whose value at 
tuple (possible world) r is the entry in the tuple r corresponding to ATT. The 
only relation symbol is =, which is interpreted as equality on T> 0 . 

Question: what are the connections between axiom(r) and model(?’)? I don’t 
know the most general answer to this, but here is something that accounts for 
what was seen in the previous section. Note that the queries considered there, 
formulas (5) and (6), were either quantifier free or involved existential quantifiers 
of individual object type only. This is significant. 

Definition 9. Call a closed modal formida simple existential if it is of the form 



(3xi) • • • (3x„)04> 



where <F is quantifier and modality free, and contains only = as a relation symbol. 



Proposition 1. For a relation instance r and a simple existential sentence X, 
X is a consequence of axiom(r) if and only if X is true in model(r). 

I’ll postpone a proof of this to Section 12.3. 

8 Partial Concepts 

We have taken individual concepts to be total functions on the set of possible 
worlds of a modal model. But there are many circumstances where a more general 
notion is desirable. “The King of France,” for instance, designates an individual 
at many points in history, but not at all of them. Fortunately, it is straightforward 
to allow partiality. 

Definition 3, of modal model, is changed as follows. From now on T> c will be a 
non-empty set of functions, each from some subset of Q to V 0 , where that subset 
can be proper. If r is not in the domain of some individual concept /, we will 
write f(r) = _L, where _L is an arbitrary item not a member of D a . Definition 5, 
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value at, can be used with no change in wording, but notice that the scope of 
part 3 has been extended. If \t is a relativized term, and r is not in the domain 
of (v * X)(t), then (v * X){\ t, r) = (v * X)(t)(r) = _L. 

Now Definition 6, truth in a model, must also be modified. I’ll follow the 
pretty obvious general principle that one cannot ascribe properties to what is 
designated by a non-designating term. In the Definition, item 2 is changed to 
read as follows. 

2. If R(ti , . . . , tk) is atomic, 

a) if any of (v*I)(ti, T), . . . , (v*X)(tk, r) is _L then M, r I f v R(t \, . . . , tk); 

b) otherwise M,T H-„ R(ti, . . . , tk) iff {(v * X)(ti,T ), ... ,(v* X)(tk , -T)) £ 

x (R)(r). 

Also item 8 must be changed. 

8. For an abstract (A g.<P)(t), 

a) if {v*X)(t,r) = _L, M,r\y- V (\g.$)(t); 

b) otherwise M . , X lb„ {\g.<P)(t) if M.,T lb„ X>[g/d\, where d = (v*X)(t, r). 

Notice that, with the definitions modified in this way, \.t =\.t is true at a 
world of a model if and only if the term t “designates” at that world. This 
makes possible the following piece of machinery. 

Definition 10 (Designation Formula). D abbreviates the abstract (Xa. 
a =4n). 

Clearly A 4,T lh„ D(t) iff (v *X )(t,T) ^ _L, where M = (G,X> 0 ,T> C ,X). Thus D 
really does express the notion of designation. 

Now our earlier notions of rigidity and relative rigidity must be modified. We 
say c is rigid if it designates the same thing in all worlds in which it designates 
at all. This means formula (1) must be replaced with the following, if we want 
to express a notion of rigidity allowing for partial concepts. 



D(c) D (Ax.D[D(c) D (x =4c)])(4c) (7) 

Likewise, c being rigid relative to d must be modified. It should now say: if d 
designates in two worlds, and designates the same thing, then if c also designates 
in those worlds, it must designate the same thing at both. This means formula 
(2) must be replaced with the following. 



(D(c)AD(d)) d (A*,y.D[(D(c) AD(d)Ax=\d) D (y =\c)}){ld,\c) (8) 

Similar changes must be made to the other notions from Section 4. In par- 
ticular, (4), expressing that every attribute is rigid relative to c, gets expressed 
as follows. 



(Va){(D(c) A D(a)) D (Ax, y.D[(D(c) A D(a) A x =\c) D ( y =|a)])(4 j C,4 jQ 0} 

(9) 
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9 Relational Databases More Generally 

A relational database generally has more than one relation involved. Now that 
partial individual concepts are available, this is easy to handle. Suppose we add 
to the database containing the relation given in Table 1 a second relation, given 
in Table 2. 



Table 2. The relation LOCATION 



JOBNUMBER 


WHERE 


1 


Home 


2 


Away 



We allowed, in our modal language, relation symbols of type (). Let us in- 
troduce two specific ones, PERSONS and LOCATION, intended to distinguish the 
two relations we now have. The idea is, we will have two kinds of possible 
worlds, those at which LOCATION is true and those at which PERSONS is true. 
The first kind of world should correspond to a row of the LOCATION table, and 
so JOBNUMBER and WHERE should be defined, but nothing else. Similarly for the 
second kind. This gives us the following new kinds of constraint axioms. 

1. □{PERSONS D [D(JOBNUMBER) A ^D(WHERE) a D(NAME) a d(ssn) 
AD(BIRTHDATE) a d(jobtitle)]} 

2. □{LOCATION D [D (JOBNUMBER) A D (WHERE) A ^D(NAME) A ^D(SSN) 
A^D(BIRTHDATE) a ^D(JOBTITLE)]} 

We still want the functional dependencies we had before, but these need to 
be modified to take partiality of intensional concepts into account. We also want 
a new dependency saying WHERE is functionally dependent on JOBNUMBER. These 
take the following form. 

3. □(Va){(D(SSN) A D(a)) D (Ax, j/.Q[(D(SSN) A D(a) A x ={SSN) D (y ={ 
a)])({SSN,{a)} 

4. n{(D( JOBNUMBER) A D(JOBTITLE)) □ 

(Xx, j/.D[(D(J0BNUMBER) A D(JOBTITLE) A x ={J0BTITLE) D 
(y ={J0BNUMBER)])({J0BTITLE, {JOBNUMBER)} 

5. □{(D(JOBNUMBER) A D(WHERE)) I) 

(Xx, j/.a[(D(jOBNUMBER) A D (WHERE) A X = {WHERE) D 
(y ={J0BNUMBER)]) ({WHERE, {JOBNUMBER)} 

Next we need the instance axioms. These are quite straightforward. 

6. O[L0CATI0N A ({JOBNUMBER = 1) A ({WHERE = Home)] 

7. O[L0CATI0N A ({JOBNUMBER = 2) A ({WHERE = Away)] 
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8. O [PERSONS A (JNAME = Adam) A (JSSN = 1) A (JBIRTHDATE = 01/06/-4004) A 
(JJOBNUMBER = 1) a (JJOBTITLE = Gardener)] 

9. O [PERSONS A (JNAME = Eve) A (JSSN = 2) A (JBIRTHDATE = 01/08/-4004) A 
(JJOBNUMBER = 2) a (JJOBTITLE = Explorer)] 

10. O [PERSONS A (JNAME = Cain) A (JSSN = 3) A (JBIRTHDATE = 10/03/-4004) A 
(JJOBNUMBER = 1) a (JJOBTITLE = Gardener)] 

11. O [PERSONS A (JNAME = Abel) A (JSSN = 4) A (JBIRTHDATE = 08/05/-4003) A 
(JJOBNUMBER = 2) a (JJOBTITLE = Shepherd)] 

12. O [PERSONS A (JNAME = Seth) A (JSSN = 5) A (JBIRTHDATE = 02/04/-3983) A 
(JJOBNUMBER = 2) a ( JJOBTITLE = Explorer)] 

Finally we assume that all our object constant symbols are distinct. 

13. ->(1 = 2), ^(Home = Away), -i(Adam = Eve), etc. 

10 Tableaus 

Since consequence issues are important, a sound and complete proof procedure 
can be useful. Fortunately, standard tableau methods using prefixed formulas 
adapt quite naturally. 

Proofs, and derivations, will be of closed formulas. As usual, in order to 
handle existential quantifiers, parameters will be introduced. We can think of 
these as being additional constant symbols, added to the language for the pur- 
pose of proof construction. Since we have two kinds of quantifiers, object and 
concept, we will have two kinds of parameters as well. I’ll use p°, q°, etc. as 
object parameters, and p c , q c , etc. as concept parameters. 

A prefix for S5 is simply a positive integer, which we can intuitively think 
of as the name of a possible world in some model. Unlike in more conventional 
treatments of modal logic, we must allow not only formulas, but also certain 
terms to have prefixes. For example, if c is an individual concept constant symbol, 
its designation in a model will vary from world to world. Think of c with prefix 
n as the individual object that c designates at the world named by n. To keep 
notation simple, I’ll violate the literal meaning of the word “prefix,” and display 
them as subscripts. Thus c n is an example of a prefixed concept constant symbol. 
In our proofs, individual concept constants and individual concept parameters 
may have prefixes. 

A little more formally, by an extended formula I mean one that may con- 
tain parameters, and in which individual concept constants and parameters may 
have prefixes. A prefixed concept constant or parameter is considered to be an 
individual object term. All proofs will be of closed formulas, but closed extended 
formulas will appear in proofs. 

A prefixed formula is a closed extended formula, with a prefix, and here we 
actually write them as prefixes. Thus, if X is a closed, extended formula, and n 
is a positive integer, nX is a prefixed formula. 

As usual, a tableau proof of a sentence A is a tree with 1 ->X at the root, 
and meeting certain other conditions which we will specify. Think of the initial 
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prefixed formula as intuitively asserting there is a world of a model, denoted 
by 1, at which X is not true. The tableau is constructed using various branch 
extension rules. In them cr is an arbitrary prefix. 

Conjunctive Rules 

a X AY a n(IV7) a^(XoY) 
aX a^X aX 

aY a ->y <j-Y 

Double Negation Rule 

a —i—iX 
aX 

Disjunctive Rules 

aXWYa^(XAY) ctXdY 
aX\aY cr^X\a^Y a^X\aY 

Necessity Rules For any positive integer n that already occurs on the branch, 

a OX cr-iOX 
nX n~ 'X 

Possibility Rules If the positive integer n is new to the branch, 

a OX cr-iOX 
nX n^X 

Concept Existential Rules In the following, p c is an individual concept pa- 
rameter that is new to the tableau branch. 

a (3a)<£(a) cr — i (Va)^(a) 

<7 4>(p C ) <7 ~^4>{p C ) 

Object Existential Rules In the following, p° is an individual object para- 
meter that is new to the tableau branch. 

a (3x)4>(x) <7~i(Vx)&(x) 
a 4 >(p° ) <j ~^4>(p°) 

Concept Universal Rules In the following, r is any individual concept con- 
stant symbol or parameter. 

a(\/a)4>(a) a -<(3a)4>(a) 
a4>(r) ct-i4>(t) 

Object Universal Rules In the following, r is any individual object constant 
symbol or parameter, or a prefixed individual concept constant symbol or para- 
meter. 

a(\/x)4>(x) cr -<(3x)4>(x) 
a4>(r) <7 ~i4>(t) 
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Concept Abstract Rules In the following, r is an individual concept constant 
symbol or parameter. 

er (A a.#(a))(r) a -i(Aa.<£(a))(r) 

Object Abstract Rules In the following, r is an individual object constant 
symbol, parameter, or a prefixed individual concept constant symbol or parame- 
ter. 

a (\x.<P(x))(t) a ~i(Ax.<P(x))(t) 

a 

Before giving the next set of abstract rules, recall that we are allowing indi- 
vidual concepts to be partial functions in models. If r is an individual concept 
constant symbol or parameter, what is the status of j,r? If we are at a world in 
the domain of the individual concept named by r, \.t should be the individual 
object designated by that concept at that world, and otherwise it should be _L. 
Now, if we know (Aax<£(;r))(4.T) is true at a world, it must be that j,r is not 
_L at that world, since an abstract applied to _L is false. In such a case we can 
introduce a name for the object designated by t at the world; we do this by 
prefixing (subscripting) r. On the other hand, if we know (Xx. < P(x))(\.t) is false, 
it could be that r does not designate, or it could be that it does, but designates 
something making false. In such cases we need other information to conclude 
whether or not \r is _L. This gives us the motivation for the following rules. 

Mixed Abstract Rules In the two rules following, r is an individual concept 
constant symbol or parameter. 

a (Ax.<P(x))(l t) 

<T<P(T a ) 

In addition, if t g already occurs on the tableau branch, the following rule may 
be applied. 

a ->(Aa;.^(a;))(4.T) 

a^<P(Tcr) 

Rules similar to these apply to atomic formulas as well. 

Atomic Rules In the two rules following, r is an individual concept constant 
symbol or parameter, R is a relation symbol, and . . . represents a sequence of 
terms. 

crR(... 4t, ...) 
cri?(... , Tfj , . . . ) 

And, if r a already occurs on the tableau branch, the following rule may be 
applied. 

a^R(... ,|r, ...) 
cr-.i?.(... ,7V,,..) 
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Finally, we have the rules for equality. The first one corresponds to the se- 
mantic fact that equality is interpreted the same at every world; if individual 
objects are equal at some world, they are equal at every world. 

Equality Transfer Rule If n and r 2 are individual object constant symbols 
or parameters, or prefixed individual concept constant symbols or parameters, 
and if cr 1 is a prefix that already occurs on the branch 



g Qi = t 2 ) 

a' (n = r 2 ) 

Reflexivity Rule If r is an individual object constant symbol, parameter, or 
a prefixed individual concept constant symbol or parameter, and the prefix a 
already occurs on the branch, 



<7 (r = r) 

Substitutivity Rule If t\ and r 2 are individual object constant symbols or 
parameters, or prefixed individual concept constant symbols or parameters 

a’ (n = t 2 ) 

<t^(t 2 ) 

This concludes the presentation of the branch extension rules. 

Definition 11 (Closed). A tableau branch is closed if it contains aX and 
cr-iX for some X. A tableau is closed if every branch is closed. 



Definition 12 (Proof and Derivation). A sentence (without parameters) 
is provable if there is a closed tableau beginning with 1 Likewise, <L> has a 
derivation from a set S of sentences if there is a closed tableau beginning with 
l-i<£, in which IX can be added to any branch at any point, for any X that is 
a member of S. 

This concludes the description of the tableau system. 

11 A Derivation Example 

The example given here is a derivation of 

-iO[LOCATION A (jJOBNUMBER = 1) A (jWHERE = Away)] (10) 

from the axioms of Section 9. It establishes that O[L0CATI0N A (jJOBNUMBER = 
1) A (j-WHERE = Away)] cannot be inserted into the database, because it violates 
an integrity constraint. Before presenting the derivation itself, here is a derived 
rule that will shorten the presentation. 
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Derived Rule Suppose r is an individual concept constant symbol or parame- 
ter. 

a 4-r = a 
a D(r) D <P 
a <3> 

Think of this as abbreviating the following tableau construction. 

<7 \r = a 1. 
crD(r) d <P 2. 

(7T a = a 3. 




ct-iD(t) 4. cr<P 5. 

(7^{\x.\x=\ x)(r) 6. 

a -.(4-r =4.r) 7. 

C t^(t <7 = t <7 ) 8. 

G (To- = Ter) 9. 

Explanation: 3 is from 1 by an atomic rule; 4 and 5 are from 2 by a disjunctive 
rule; 6 is 4 unabbreviated; 7 is from 6 by a concept abstract rule; 8 is from 
7 by an atomic rule, making use of the fact that r CT occurs in 3; 9 is by the 
reflexivity rule. The left branch is closed, and the right branch gives the effect 
of the conclusion of the derived rule. 

Now, the derivation of formula (10) is in Figure 1. The explanation of Figure 1 
is as follows: 2 is from 1 by the double negation rule; 3 is from 2 by a possibility 
rule; 4, 5, and 6 are from 3 by repeated uses of a conjunction rule; 7 introduces 
axiom 5 of Section 9; 8 is from 7 by a necessity rule; 9 is from 5, 6, and 8 by 
repeated uses of the derived rule above; 10 is from 9 by a mixed abstract rule; 
11 is from 10 by an object abstract rule; 12 is axiom 7 of Section 9; 13 is from 12 
by a possibility rule; 14, 15, and 16 are from 13 by repeated conjunction rules; 
17 is from 11 by a necessity rule; 18 is from 15, 16, and 17 by the derived rule 
above (slightly modified); 19 and 20 are from 18 by a disjunctive rule; 21 is from 
16 by an atomic rule, as are 22 from 20, 23 from 19, 24 from 5, 25 from 6, and 
26 from 15; 27 is from 25 by an equality transfer rule, as is 28 from 24; 29 is 
from 23 and 27 by a substitutivity rule, as are 30 from 22 and 28, 31 from 27 
and 29, and 32 from 26 and 30; 33 is by the reflexivity rule; 34 is by axiom 13 
of Section 9; and 35 is from 34 by an equality transfer rule. 

As another, and simpler, example, you might try giving a derivation of the 
following, essentially establishing that Eve is someone who works Away. 

(Ax, 2/.(3 z){0 [PERSONS A (jNAME = x) A (jJOBNUMBER = z)\ 

AO[LOCATION A (jJOBNUMBER = z) A (jWHERE = j/)]})(Eve, Away) 

( 11 ) 
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12 Completeness et. al. 

In this section I’ll sketch soundness and completeness arguments for the tableau 
system, as well as give a proof for Proposition 1. Nothing is given in much 
detail, because proofs are straightforward adaptations of what are, by now, fairly 
standard arguments. 

12.1 Soundness 

Soundness is by the usual tableau method. One defines a notion of satisfiability 
for prefixed formulas — a set S is satisfiable if there is a model Ai, a mapping m 
assigning to each prefix a a possible world m{a) of At, and a formula $ is true 
at world ?n(c r) of Ai whenever cr<P £ S. A tableau is called satisfiable if the set of 
prefixed formulas on one of its branches is satisfiable. Then one shows that each 
tableau rule preserves tableau satisfiability. This requires a case by case check. 

Now, if there is a closed tableau for 1 ~^X, then X must be valid. For, other- 
wise, there would be some model in which X was false at some world. It follows 
that the set { 1 — } is satisfiable, so we begin with a satisfiable tableau. Then 
we can only get satisfiable tableaus, and since we had a closed tableau for 1->A 
we have the impossible situation of having a closed, satisfiable tableau. 

12.2 Completeness 

Suppose X is a sentence that has no tableau proof — it must be shown that X 
is not valid. Again the methodology is standard. Also, while the proof sketch 
below is just for tableau provability, and not derivability, the argument extends 
directly. I’m giving the simpler version, for simplicity. 

Begin by constructing a tableau for 1 ~^X, and do so systematically, in such 
a way that all tableau rules are fairly applied. That is, during the tableau con- 
struction, any rule that could eventually be applied is. There are many such 
fair tableau construction procedures — I’ll leave the details to you. The result is 
a tableau that does not close — say it has an open branch 9 (Konig’s lemma is 
needed to guarantee such a branch exists, if the tableau construction is infinite). 
Now, construct a model as follows. 

1. The set Q of possible worlds is the set of prefixes that occur on branch 9. 

2. The domain T> 0 of objects is the set consisting of: all individual object con- 
stant symbols of the language, all individual object parameters that occur 
on 9, and all subscripted (prefixed) individual concept constant symbols and 
parameters that occur on 9. 

3. if / is an individual concept constant symbol, or individual concept parame- 
ter that occurs on 9, a function / is defined as follows. The domain of / is 
the set of prefixes a such that f a occurs on 9. And if a is in the domain of 
/ then /(cr) = f fj . Note that / maps a subset of Q to V 0 . The domain T> c of 
concepts is the set of all these f. 

4. For the interpretation X\ 
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a) X assigns to each member of T> 0 itself. 

b) X assigns to each / that is an individual concept constant or parameter 
(on 9) the function /. 

c) X assigns to a relation symbol P of type () the mapping from Q to 
{false, true} such that X{P){a) = true iff a P occurs on 6. 

d) To make this clause easier to state, I’ll use the following notation. If / 
is an object symbol, set / = /. If / is a concept constant or parameter, 
/ has already been defined. Now, X assigns to a relation symbol R of 
type (ni,ri 2 , . . . ,Uk) a mapping on Q such that (ti , ... ,tk) € X(R)(a) 
iff a R(t \, ... , tfc) occurs on 9. 

This completes the definition of a model, call it Xi. Actually, the equality 
symbol may not be interpreted by equality, but leaving this aside for the moment, 
one can show by standard methods involving an induction on formula degree 
that, for any valuation v: 

— If a X 1 occurs on 9 then Xi, a lb„ X>. 

— If cr occurs on 9 then Xi,cr \j/- v <P. 

The valuation v can be arbitrary because free variables do not occur in tableaus. 
Since 1 ~>X begins the tableau, it occurs on 9 , and hence X is not valid in Xi 
since it is false at world 1. 

Finally, one “factors” the model Xi using the equivalence relation that is the 
interpretation of the equality symbol, turning it into a normal modal model. The 
Equality Transfer Rule tells us that the interpretation of the equality symbol will 
be the same at every world of Xi. I’ll leave details to you. 

12.3 A Sketch of Proposition 1 

Assume r is a relation instance and X a simple existential sentence X. All 
members axiom(r) are true in model(r), so if A is a consequence of axiom(r), 
then X will be true in model (r). It is the converse direction that needs work. 

Suppose X is not a consequence of axiom (r). Then X does not have a tableau 
derivation from axiom (r). Suppose we now carry out the steps of the comple- 
teness argument, from Section 12.2. We begin a tableau for \->X, carry out its 
construction systematically and, since it is a derivation, we introduce members 
of axiom (r) onto the branch during the construction. As usual, I’ll omit details. 

Members of axiom(r) that are constraint axioms all involve □ in a positive 
location — they do not involve O. The sentence X is simple existential, and so 
~^X contains O in a negative location — it behaves like □. None of these formulas, 
then, can invoke applications of a possibility rule. Only the instance axioms of 
axiom(r) can do this. So, if there are n members of axiom(r) that are instance 
axioms, an open tableau branch will have exactly n + 1 different prefixes on 
it: prefix 1 with which we started, and the n additional prefixes introduced by 
possibility rule applications to instance axioms. 

Now, proceed with the construction of a model, using an open tableau branch, 
as outlined in Section 12.2. We get a model with n+ 1 worlds, with X is false at 
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world 1, and a world corresponding to each instance axiom. Because of the form 
of X (only existential quantifiers and a single possibility symbol), since it is false 
at world 1, it is also false at every world. If we now consider the submodel in 
which world 1 is dropped, it is not hard to check that truth values of members 
of axiom (r) do not change at remaining worlds, nor does the truth value of X. 
And the resulting model is (isomorphic to) model (r). 

13 Conclusion 

I want to finish by describing two plausible directions for future work, one having 
to do with the modal logic directly, the other with its applications to databases. 

The tableau proof procedure given here used parameters and, as such, is me- 
ant for human application. But it should be possible to develop a free-variable 
version that can be automated. The S5 modality itself is a kind of quantifier, 
but it is of a simple nature. Object quantification is essentially classical. Con- 
cept quantification may create some difficulty — I don’t know. Equality plays a 
fundamental role, but it is a rather simple one. Perhaps what is needed can be 
captured efficiently in an automated proof procedure. 

The databases considered here were all conventional relational ones. This is 
what the first-order modal language can handle. But one could consider multiple- 
valued databases, say, in which entries can be sets. Or for a more complicated ex- 
ample, consider this. Say a record represents a person, and among a person’s at- 
tributes are these three: FAV0RITE_B00K, FAV0RITE_M0VIE, and MOST.IMPORTANT. 
The first two attributes have the obvious meaning. The MOSThIMPORTANT attri- 
bute records which that person considers most important in evaluating someone, 
FAV0RITE_B00K or FAV0RITE_M0VIE. Thus MOST.IMPORTANT is an attribute whose 
value is an attribute. (This example is meant to be easily described, and hence 
is rather artificial. More realistic examples are not hard to come by.) The mo- 
dal logic of this paper is really the first-order fragment of a lrigher-type system, 
presented in full in [1]. If one uses that, one can easily have sets of objects, or 
attributes, as entries. Indeed, one can consider much more complex things yet. 
Of course the proof procedure also becomes more complex, as one would expect. 
Whether such things are of use remains to be seen. 
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Abstract. The symmetry rule in propositional logic allows the exploita- 
tion of symmetries present in a problem. In the context of resolution, the 
rule enables the shortening of refutations by using symmetries present 
in an initial set of clauses. These symmetries can be local or global. The 
present paper proves that the local symmetry rule is strictly more po- 
werful than the global symmetry rule. It also exhibits sets of clauses that 
show exponential lower bounds for the local symmetry rule, where the 
symmetry group consists of all variable permutations. These examples 
remain exponentially hard even when the symmetry group is enlarged 
to include complementation. Examples are exhibited in which resolution 
with the global symmetry rule has an exponential speed-up with respect 
to the cutting plane refutation system. 



1 Introduction 

The symmetry rule arises naturally in proofs of combinatorial principles; in many 
cases it allows significant shortening of proofs. In proofs of combinatorial theo- 
rems like Ramsey’s theorem, for example, the occurrence of a phrase such as 
. . without loss of generality, we may assume that ...” usually signals the ex- 
ploitation of a symmetry present in the problem. Thus it is natural to consider 
the addition of this rule to familiar proof systems for propositional logic. 

We discuss the efficiency of the rule and some of its variants in the context of 
the resolution proof system for propositional logic. In an earlier paper [16], the 
second author proved lower bounds on the size of resolution proofs employing 
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a global form of the rule; that is to say, the symmetry rule was applicable in 
cases where there was a global symmetry in the original contradictory set of 
clauses representing the input to the resolution refutation system. This paper 
also defined a local form of the symmetry rule, where local symmetries in the 
input clause sets could be exploited, but no lower bounds were proved for this 
stronger symmetry rule. 

In this paper, we prove superpolynomial lower bounds for the local form of 
the symmetry rule, and also prove separation results for this form of the rule from 
the global form of the rule. The symmetry rule can of course be employed in other 
formulations of propositional logic. The first author has considered the effects of 
adding a form of the symmetry rule to cut-free Gentzen systems [3,2,1], and has 
shown that in many cases significant speed-ups can be obtained as compared 
with the system without the symmetry rule. 

2 Definitions and Preliminaries 

Before proceeding to consideration of particular proof systems, let us fix nota- 
tion. We assume an infinite supply of propositional variables and their negations; 
a variable or its negation is a literal. We say that a variable P and its negation 
->P are complements of each other; we write the complement of a literal l as l. 
A finite set of literals is a clause-, it is to be interpreted as the disjunction of the 
literals contained in it. The width of a clause C is the number of literals in it, 
and denoted by w(C). The width of a set E of clauses is the maximum width of 
a clause in E. 

We shall sometimes write a clause by juxtaposing the literals in it. An assig- 
nment is an assignment of truth-values to a set of propositional variables; some 
variables may remain unset under an assignment. 

The resolution rule is a simple form of the familiar cut rule. If Al and Bl are 
clauses, then the clause AB may be inferred by the resolution rule, resolving on 
the literal l. If either A or B is the empty clause, then we refer to the inference 
as a unit resolution. A resolution refutation of a set of clauses A is a derivation 
of the empty clause A from E , using the resolution rule. 

If V is a set of variables, and a a permutation of V, then for any clause C 
built from the variables in V, we define the clause a(C) to be the clause resulting 
from C by applying a to each variable in C. For a set of clauses F, define er(F) 
to be {c t(C ) | C e F}. 

The symmetry rule was introduced as an extension to the resolution system 
in a paper by Krishnamurthy [12]. The rule of symmetry allows the following 
inference. If a clause C has been derived from a set of clauses P, and er(F) = P, 
then the clause cr(C) can be inferred as the next step in the derivation. A proof 
from a set of clauses P in which each step is inferred by resolution from two earlier 
steps, or by the symmetry rule from an earlier step, is a symmetric resolution or 
SR-I proof. 

The form of the symmetry rule just defined is designed to exploit global 
symmetries in a set of clauses. Krishnamurthy also defined a more general form 
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of the symmetry rule that is able to exploit local symmetries. The local symmetry 
rule allows the following inference. Suppose that C is a clause derived from a set 
of clauses T, and for every clause A in T used in the derivation of C, cr(A) is also 
in r . Then the local symmetry rule allows the derivation of cr(C'). A proof from 
a set of clauses r in which each step is inferred by resolution from two earlier 
steps, or by the local symmetry rule from an earlier step, is a locally symmetric 
resolution proof or SR-II proof. 

The symmetry rule can also be generalized in another direction. If L is the 
set of literals based on a set of n variables, then L is closed under the comple- 
mentation group, whose elements are the 2" complementation operations; such 
an operation interchanges literals and their complements, for some subset of the 
literals in L. The symmetric group of all permutations of the variables acts in a 
natural way on the set of literals; hence this group can be enlarged to a group of 
order 2™ • n! by adding the complementation operations. Following Harrison [11, 
Ch. 5], let us call this enlarged group the group of permutations and complemen- 
tations. We can extend the symmetry rule (in either its global or local form) by 
allowing the inference of cr(C) from C, where cr is an operation in the group of 
permutations and complementations under which r is invariant (or under which 
r is closed, when a is applied to the appropriate subset of T, in the local form 
of the rule). Let us call the resulting proof systems SRC-I and SRC-II. 

For each of these proof systems, we define the length of a proof as the number 
of inferences in the proof; the size of a proof is the number of occurrences of 
symbols in it. For the inference systems defined above, the two measures of 
proof complexity are polynomially related. If P is a refutation system, we define 
the P complexity of a set of clauses as the length of a minimal size refutation of 
this set of clauses in P. Thus the resolution complexity of a contradictory set of 
clauses E is the minimal length of a resolution refutation of E. 

To compare the relative efficiency of refutation systems for sets of clauses, we 
define a notion of efficient simulation. If Si and £2 are both refutation systems 
for sets of clauses, then we say that £1 p-simulates £2 if whenever there is a 
refutation P 2 of a set of clauses E in the system S 2 there is a refutation Pi of 
E in the system £ 1 , where the size of Pi is bounded by a fixed polynomial in 
the size of P 2 . If £1 and S 2 p-simulate each other, then we say that they are 
p- equivalent. 

In proving lower bounds, we shall employ various examples of sets of clauses 
based on finite graphs. The graph-theoretical terminology used in this paper is 
that of Bollobas [5]. A graph G is an ordered pair of finite sets (V,E) where E 
is a subset of the set of unordered pairs of V; the set V = V{G) is the set of 
vertices of G, while E = E(G) is the set of edges of G. If U, W are subsets of 
V, then we write E(U, W) for the set of edges joining a vertex in U to a vertex 
in W. If x, y are vertices, then we write xy for the edge containing x and y. The 
degree of a vertex is the number of vertices adjacent to it. We say that two edges 
are adjacent if they have exactly one vertex in common; a set of edges in a graph 
is independent if no two edges in the set are adjacent. A matching in a graph G 
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is an independent subset of E(G); the matching is perfect if every vertex in G 
belongs to one of the edges in the matching. 

3 Separating Local and Global Symmetry Rules 

It seems clear that local symmetry rules are more powerful than their correspon- 
ding global versions. It is fairly easy to verify this impression by constructing 
appropriate sets of clauses. Here we show an exponential speed-up of the local 
over global symmetry rules by employing sets of clauses based on matchings in 
graphs. 

Given a graph G = (V. E), we can formulate the assertion that G has a 
perfect matching as a set of clauses, PM(G). Where x,y G V, the propositional 
variable P xy is to be read as asserting: “Vertex x is matched with vertex y.” 
We identify the variable P xy with the variable P yx . If X is a vertex in V, the 
disjunction D x = \J{P xy \ y adjacent to x} asserts that x is matched with one 
of its neighbours. Similarly, the disjunction E xyz = (~<P X y V ~>P xz ) asserts that 
x cannot be matched with both y and z. The set of clauses PM(G) contains all 
the disjunctions D x , for x G V, together with all the disjunctions E xyzi where 
x,y,z&V,x is adjacent to y and z, and y ^ z. If G is a graph with n vertices, 
and maximum degree d, then PM(G) has size 0(d 2 n). 

If G has no perfect matching (for example, if G has an odd number of vertices) 
then PM(G) is contradictory. Let K(n+ 1 , n) be the complete bipartite graph 
with V = Vi U V 2 , \Vi\ = n+1, \V 2 \ = n, and E = {{x,y} \ x G V\ ,y G V 2 }. The 
set of clauses PM(K(n + l,n)) is contradictory; the statement of this fact is a 
formulation of the pigeon-hole principle, so we shall refer to these clauses as the 
pigeon-hole clauses PHC n . Armin Haken proved the following result about the 
complexity of resolution refutations of PHC n . 

Theorem 1. There is a c > 1 so that any resolution refutation of PHC n con- 
tains at least c n distinct clauses. 

Proof. Haken’s original proof is in [10]. A simpler proof can be found in [4]. □ 

The graph K(n + 1, n) is highly symmetric; we can use this fact to get a short 
SR-I refutation of PHC n (an observation of Krishnamurthy) . We formalize the 
following informal proof: “If there is an injective map f from {1, • • • , n + 1} to 
{1, ■ • • n}, then there is a k, 1 < k < n, so that f(n + 1) = k. By symmetry, we 
can assume that k = n. But then the map f obtained by removing (n + l,n) 
from f is an injective mapping from {1, • • • , n} into {1, • • • , n — 1}. Hence the 
theorem follows by induction on n.” 

Theorem 2. There are SR-I refutations of length (3 n + l)n/2 for the pigeon- 
hole clauses PHC n . 

Proof. A detailed proof of the theorem is in Urquhart [16]. □ 

To defeat the global symmetry rule, we can use the simple idea of attaching 
“tails” to the vertices of the graph G underlying the set of clauses PM(G). That 
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is to say, we attach to each vertex of G a tail containing an even number of 
vertices, where each tail is of a different length. To make this idea precise, let 
us suppose we are given a graph G with vertices {x \, . . , x n }. With the vertex 
x, we associate a set of “tail vertices” [t \ , . . . ,t 2i }. The “graph with tails” G 4 
constructed from G is defined to be the graph whose vertices consist of the 
original vertices of G, together with all the new tail vertices. The edges of G 4 
consists of the original edges of G, together with edges joining Xi to t\, t\ to 
^2) • ■ • > 4i- -l to 4i, for each vertex Xi of G. Figure 1 illustrates the result of 
attaching tails to the complete graph K 4 . 




Lemma 1. If G is a graph of degree at least 2, then G 4 , the result of adding 
tails to G, has no global symmetries. Hence, PM(G t ) has no non-trivial global 
symmetries. 

Proof. Any symmetry of G 4 must map the vertices at the ends of tails into 
other vertices of the same type (since they are the only vertices of degree 1). It 
follows that tails must be mapped into tails. But then the symmetry must be 
the identity, for otherwise a vertex of degree 2 would be mapped into a vertex 
of greater degree, since all the tails are of different lengths. The set of clauses 
PM{G t ) therefore has no non-trivial global symmetries, since any symmetry of 
the set of clauses would give rise to a symmetry of G. □ 

We can now separate the local and global symmetry rules by employing the 
trick of adding tails to the pigeon-hole clauses. That is, let I\(n + 1 ,n) 4 be 
the result of adding tails to the complete bipartite graph K(n + 1 ,n). Then the 
addition of tails defeats the global, but not the local symmetry rule. Let us write 
PHC '* for the set of “pigeon-hole clauses with tails,” that is, the set of clauses 
PM(K(n + l,n) 4 ). Before proving this result, we prove a simple lemma about 
restrictions of resolution refutations. 
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Lemma 2. Let £ be a set of clauses, and an assignment to a subset of the 
variables in £ . If R = C\, ■ ■ ■ , Ck is a resolution refutation of £, then R\ <f> = 
C\ \ 4>, - ■ ■ ,Ck \ 4> contains a subsequence that is a resolution refutation of £ \ <f>. 

Proof. We prove by induction on the length of the refutation the more general 
claim: iiCj\<j>^\, then C\ \ (j>, ■ ■ ■ , Cj \ (j) contains a subsequence that is a reso- 
lution proof of a subclause of Cj \ f>. □ 

Theorem 3. 1 . There is a c > 1 so that any SR-I refutation of PHC* contains 

at least c n distinct clauses. 

2. There are SR-II refutations of length (3 n + l)n/2 + 0(n ) of PHC '*. 

Proof. Since PHC. * has no global symmetries, it follows that the global sym- 
metry rule cannot be employed in a refutation of this set of clauses. Thus any 
SR-I refutation of PHC ^ must simply be a resolution refutation. Let f> be the 
assignment to the edge variables that results from matching all the tail vertices 
with other tail vertices (this can be done because all the tails are of even length) . 
The result of applying this restriction to PHC* is the original set of pigeon-hole 
clauses PHC n . By Lemma 2, any resolution refutation of PHC * must be at least 
as long as a resolution refutation of PHC n . Hence, an exponential lower bound 
follows by Haken’s lower bound for the pigeon-hole clauses (Theorem 1). 

To construct short SR-II refutations of PHC*, we can adapt the original short 
SR-I refutations described in Theorem 2. The clauses associated with the vertices 
of the original bipartite graph I\(n+ 1, n) in PHC * are identical with the original 
pigeon-hole clauses PHC n , except that for each vertex x, the positive clause D x 
associated with x contains an extra variable P x representing the edge attaching 
x to its associated tail. Clearly this subset of the clauses has the same set of 
symmetries as PHC n . Thus we can imitate the short SR-II refutation of PHC n 
to obtain a short SR.-II proof of the clause {P x \ x a vertex in K(n + l,n)}. By 
repeated application of unit resolution, we can then derive the empty clause in 
0(n) steps. □ 

Corollary 1. SR-I cannot p-simulate SR-II. 

4 Exponential Lower Bounds for SRC-II 

In the previous section, and also in the predecessor to this paper [16], the global 
symmetry rule was defeated by the simple process of constructing sets of clauses 
with no global symmetries, so that the global symmetry rule could not be applied. 
This suggests that we could apply the same idea to the local symmetry rule by 
constructing sets of clauses with no useful local symmetries. In this section, we 
give a very easy construction that, given an arbitrary set of clauses £ as input, 
constructs a new set of clauses £* that is not much larger than the original 
set, for which the local symmetry rule does not allow any useful speedup. This 
immediately leads to an exponential lower bound for SRC-II. 

Let If be a set of clauses (Ci , • • • , Ck} where CVs are ordered so that w(Ci) < 
w(Ci+i) for every 1 < i < k — 1. Let pi, ■ ■ ■ ,p m be a set of new variables, where 
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to = k(k + l)/2. Now let the clauses Di,---,D k be defined as the sequence 
Cip\, C 2 P 2 P 3 , • • •; that is to say, we add one new variable to C\, two new variables 
to C 2 , and so on. Note that w(Di) ^ w(Dj) for any i ^ j. Then we define E* 
to be the set {Di,- ■ ■ , D k } U {-ipj|l < i < to}. Let us write V for the variables 
in E, and V* for V augmented with the new variables pi, ■ ■ ■ ,p m - 

The new set of clauses consists of k clauses of widths bounded by k + 
max{u>(Ci)|l < i < k}, together with m unit clauses. All of the clauses have 
different widths, with the exception of the unit clauses. It follows that E* has 
only a very restricted set of local symmetries. Let <f> be the assignment that sets 
all the new variables Pi, ■ ■ ■ ,p m to 0, so that E* [ (j) = E. If a is a permutation 
of V* , then let us write a\V for a restricted to the set V of original variables. 

Lemma 3. If a is a local symmetry of E* , then a\ V induces the identity map 
on the clauses in E. 

Proof. If Di £ E* , then a(Df) = Di , because all the clauses in E* , with the 
exception of the unit clauses, are of different widths. It follows immediately that 
<r(Ci) = Ci. □ 

The next lemma is just a slightly more elaborate version of Lemma 2. 

Lemma 4. If R = C\, - ■ ■ , C k is an SRC-II refutation of E* , then R\ <p = 
Ci f (j>, ■ ■ ■ , Ck f (j) contains a subsequence that is a resolution refutation of E = 
E*\cf. 

Proof. We prove by induction on the length of the refutation the more general 
claim: if ^ 1, then C\ \ <f>, ■ ■ ■ , Cj \ (j) contains a subsequence that is a re- 

solution proof of a subclause of Cj \ <p. For the input clauses, this is immediate, 
since the unit clauses are set to 1 by the restriction cj). Let us assume that Cj 
is inferred from Ch and Ci by the resolution rule. If the variable resolved on is 
one of the new variables pi, ■ • ■ ,p m , then one of the premisses must be a unit 
clause belonging to E*. It follows that Cj\ <j> must be identical with one of the 
premisses Ch f <t> or C} \ (j). If the variable resolved on belongs to V, then Cj \ 
can be inferred from Ch f 4> and Ci \ <p by resolution. Finally, if a{Cf) is inferred 
by the local symmetry rule from Ci, then by Lemma 3, (j(Cj \ <j>) = C t \ (j). □ 

The next theorem follows immediately from Lemma 4. 

Theorem 4. If E is a set of clauses, then the SRC-II complexity of E* is 
bounded from below by the resolution complexity of E. 

Theorem 4 guarantees that there exists as many hard examples for SRC-II 
as for resolution. For example, the sequence of sets of clauses {PHCf,} obtai- 
ned from the pigeon-hole clauses is exponentially hard for SRC-II. There are 
sequences {E k } of contradictory sets of clauses in 3CNF of size 0(k) that re- 
quire resolution refutations of size 2°^ (for details, see [15,7,4] ). Consequently, 
we obtain the following result. 
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Corollary 2 . There exists a sequence of contradictory sets of clauses {A^} such 
that any SRC-II refutation of A k contains 2 *A fc ) clauses, though the size of each 
£k is 0(k 2 ). 

The cutting plane system is another refutation system for propositional for- 
mulas in conjunctive normal form. In the cutting plane system, the truth values 
true and false are interpreted by 1 and 0 and propositional formulas are expres- 
sed by systems of linear inequalities. The goal (in constructing a refutation) is to 
derive the inequality 0 > 1. It has its origins in the work of Gomory [9] in integer 
linear programming. It can also be considered as a generalization of resolution, 
since it is easy to give an efficient translation from sets of clauses to sets of li- 
near inequalities so that if the original set of clauses has a resolution refutation, 
the corresponding set of linear inequalities has a cutting plane refutation that 
is not much longer. The cutting plane system is strictly more powerful than the 
resolution system, since, for example, the pigeon-hole clauses have short cutting 
plane refutations; for details see [8]. 

The cut-free sequent calculus is also a refutational system for propositional 
formulas when we restrict the system so that every sequent is of the form, 

Ci, , C n — » .1 

where C,; are clauses. The cut-free proofs are expressed either as trees or direc- 
ted acyclic graphs. When expressed as trees, the cut-free sequent calculus and 
the analytic tableau system p-simulate each other. When expressed as directed 
acyclic graphs, it is as efficient as resolution on the class of formulas written in 
3CNF. By adding the symmetry rule on the (DAG-like) cut-free sequent calcu- 
lus, we obtain a system called simple combinatorial reasoning. Simple combina- 
torial reasoning polynomially proves many combinatorial problems including the 
pigeon-hole clauses [3,2,1]. 

Before we finish this section, we note that both cutting planes and simple 
combinatorial reasoning polynomially prove {PHCf,}; SRC-II p-simulates neit- 
her of them. In this paper, we only outline the proof. First we show the following 
lemma. 

Lemma 5. Let £ is a set of clauses of size n. Suppose that £ is reduced to 
another set of clauses £' by using only unit resolution. If cutting planes has a 
proof for £' of size m, it has a proof for £ of size mn 2 . The same thing holds 
for simple combinatorial reasoning. 

It is easy to show that for any sets of clauses £, £* is reducible to £ by 
using only unit resolution. More specifically, PHC% is reducible to PHCk by 
using unit resolution. Consequently, both cutting planes and simple combinato- 
rial reasoning polynomially proves { PHC £}. 

Theorem 5. SRC-II p-simulates neither cutting planes nor simple combinato- 
rial reasoning. 
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5 Separation of SR-I from Cutting Planes 

In the previous section, we gave an exponential lowerbound for SRC-II and 
show that SRC-II p-simulates neither cutting planes nor simple combinatorial 
reasoning. In this section, we show that the cutting plane proof system and 
SRC-II are incomparable in the p-simulation ordering. This result follows from 
an exponential lower bound proved by Pudlak [13] and our polynomial upper 
bound for the same sequence of formulas. 

We now define the examples used by Pudlak in proving lower bounds for the 
cutting plane system. We define k-Clique(n) to be the following set of clauses: 

1. {q it i, . . . , q it n} for 1 < i < k, 

2. ~^qj,m} for 1 < to < n and 1 < i < j < k, and 

3. {-> qi , m , - , qj,i,Pm,l} for 1 < m < l < n and 1 < i, j < k. 

The above clauses encode a graph which has n vertices and contains a fc-clique 
as follows. We enumerate all the vertices of the graph (1, . . . , n}. The q's encode 
a function / from (1, . . . , k} to (1, . . . , n}. The literal qij means that /(*) = l. 
(The intuitive meaning of f(i) = l is that the vertex named i in the graph is 
actually the vertex named l in the fc-clique.) The p m j encode that there exists 

an edge between m and l. Hence, the first clause means that the function / is 

defined for all i fc). The second clause means that / is one-to-one. The 

third clause means that if there exists i,j such that f(i) = m and f(j) = /, then 
there exists an edge between m and l. Note that k-Clique(n ) corresponds to the 
positive test graph in the proof of lower bounds for monotone circuits (Razborov 
[14], Boppana and Sipser [6]). Pudlak’s result rests on a generalization of this 
proof. 

We define k'-Color(n ) to be the following set of clauses: 

1- {r m , l, ■ • ■ for 1 < m < n, 

2- {“’T'm.yj for 1 < ?Ti < 7i and 1 < i < j < k\ and 

3- ~^Pm,l} for 1 < to < l < n and 1 < i < k'. 

The above clauses encode a graph which is a fc'-partite graph as follows. The 
r’s encode a coloring function g from {1, . . . ,n} to {1, . . . , k'}. The literal r rn j 
means that the vertex named m is colored by i. Hence, the first clause means 
that every vertex is colored. The second clause means that none of the vertices 
has more than one color. The third clause means that the coloring is proper: 
when the vertices m and l have the same color, then there is no edge between 
to. and l. Note that k'-Color(n ) corresponds to the negative test graph. 

We now define k-Test(n) to consist of all the clauses in k-Clique(n) together 
with the clauses in (k— l)-Color(n). The size of k-Test(n) is 0(?r 4 ). It is easy 
to see that k-Test(n) is unsatisfiable: as a matter of fact, if all the clauses in 
k-Clique(n) is true, then the graph contains a /c-clique. A fc-clique cannot have a 
proper (fc — l)-coloring. This means at least one of the clauses in (fc— l)-Color(n) 
must be false. 




